do you guys block any ports on the SM side for the health of your network?

I block SMB and DNS servers.

That way, my customer’s can’t see eachother in the “Network Neighborhood” and I’m protected from a customer setting up a DHCP server and handing out addresses to other subscribers.

i block SMB

We block the following:
Bootp Server (routers plugged in backwards)
IPv4 Multicast (stops a lot of uneccesary broadcast traffic)

Guys, we are seeing a very strange issue here.

We have two clients on a bridged connection and on the same VLAN. Both SMs are set to block SMB yet client A is able to see Client B’s PC on his network neighbourhood.

Needless to say that I am stumped.

Any clues?

We block SMB, bootp server, pppoe, and multicast.

Vanilla. I wonder if the VLANing removes the filtering within the VLAN, but blocks to outside traffic? Just a thought, I don’t actually know. I do know that SMB sharing uses several different ports for different functions. The network browsing for instance is a different port that the file transfer its self. Can they only see each other, or can they fully R/W to shares?

They can browse and read, write and delete files…

Scary stuff.

I’m going to bump this up again as in my view this is a very serious problem.

Two subscribers, using two SMs on the same VLAN, both with SMB filtered on their SMs and on bridge.

Subscriber A can see the PC of Subscriber B and can read, write and delete files.

This is a serious problem. It occurs when running 7.36 or vers 8.

Has anyone else seen this?

Confirm that you are blocking the following:

The following ports are associated with file sharing and server message block (SMB) communications:
• Microsoft file sharing SMB: User Datagram Protocol (UDP) ports from 135 through 139 and Transmission Control Protocol (TCP) ports from 135 through 139.
• Direct-hosted SMB traffic without a network basic input/output system (NetBIOS): port 445 (TCP and UPD).

Jerry, thanks for your reply.

The SM allows you to select SMB as one of the Protocols to block and then also allows another 3 user defined ports.

If you select SMB, I assume it handles all SMB related ports. Correct?

I would assume SMB blocks 135 to 139 however you will need to add 445.

Not sure if this will solve your problem but it’s worth a try.

I assume you are also blocking multicast?

We block multicast. I cannot understand how nobody has seen this before.

I cannot even understand how this is the first client who actually saw this. There must be loads of people who still have their PC set to use WORKGROUP as their workgroup name…