XP uses the old SMB v1 protocol while we are currently on v3.

Ideally the more you are running on your router, the higher the chance of security holes. You might be able to get into the config files to re-enable the older protocols. But I instead recommend separating the NAS from the router. There's a project call RetroNAS which was designed around the Raspberry Pi and many different older protocols for legacy systems.

If you refuse to take this advise. It looks like you might be able to run an FTP server on your router and access files that way from XP.

Your theory surrounding firmware disabled SMB v1 sounds plausible.

Concerning the RetroNAS, if the R7000 is now supporting only SMB v2 or v3, how does the RetroNAS still communicate via SMB v1 to a networked WinXP machine?

Does anyone know how problematic the pre-authentication buffer overflow is on the R7000 or similar series routers? For example, does it hack the NAS files? I keep nothing of importance on the NAS - it is used mainly as a bridge between Ubuntu's stored files and Win3.1 thru WinXP machines, primarily for driver files. Or, if someone has gained admin access to the router, can they still tunnel into an up-to-date Ubuntu installation and loot the stored files? Or is the vulnerability one that waits for users to input bank passwords on websites, then copies those? Or is the vulnerability with wifi only? I've seen some videos whereby people can cause Netgear routers to reboot endlessly from wifi attackers. Netgear has remained quiet on the exact consequence and path for this vulnerability. They also have not mentioned the symptoms, e.g. will I noticed my router's password has been set back to default; will I see settings altered; sluggish performance; will I get errors whereby the browser cannot resolve DNS, etc?

OK, its seems I can just use an old XP machine as the "retro Samba v1 file server". The router is OK to have connected computers use SMB v1 between them, just not to have access to the router's NAS. In which case, what would be the purpose of the RetroNAS RasPi system?

The RetroNAS could be your system for legacy systems. Or you can host files on XP as you discovered. The need is to get the files away from the router.

The benefit of RetroNAS is that works with legacy non-Windows systems as well. But if you don't need it, that's fine.

You might be able to find user-made/community firmware for those routers that updates the core OS components or replaces them entirely, though your findings will vary, based on the age of the router and commitment from authors. A really good guy named Voxel makes firmware updates for the R9000 and R7800 that are continuously updated with the open-source components that Netgear no longer bothers to update, so if you have either of those, give his firmware a try.

https://www.voxel-firmware.com/Downloads/Voxe … html/index.html

At this point, an R7000 isn't good or safe for router usage, without a consistently updated third-party firmware, but you can certainly use it as an access-point/network switch/extender, which is what I do with older Netgear routers that are no longer firmware updated.

I tried to place the retro file server on my Ubuntu installation, by sharing a Samba folder called "retro". I enabled SMB v1 thru v3 by editing /etc/samba/smb.conf with:

server min protocol = NT1
server max protocol = SMB3

while XP is able to view the existence of this folder, it would not let XP open or view the contents, likely for some security reasons. I quickly gave up on that by commenting out the above two lines. Ubuntu, however, is able to read/write to the XP share on the XP machine, just not the other way around. Not wanting to put any more time into this, I will leave the retro file share on the XP laptop, which is normally not powered on. It will be powered on if, for example, I want to grab some old driver files via ethernet on a Windows 3.11 machine. In which case, I manually transfer files to the XP laptop (from Ubuntu), then use Win 3.11 to grab these files from XP laptop. It is essentially the same as having the Netgear NAS, except that I don't keep this laptop powered until I need to use it.

For completeness, I will add that Windows 7 is still able to access the Netgear NAS and Windows 7 is still able to read/write to a shared folder on Ubuntu. This must be due to Win7 supporting SMB v2/3, whereas Win3.11 thru XP does not. I do not understanding why adding 'server min protocol = NT1' to smb.conf didn't work with XP, however.

RetroGamer4Ever wrote on 2025-04-27, 16:33:

You might be able to find user-made/community firmware for those routers that updates the core OS components or replaces them entirely, though your findings will vary, based on the age of the router and commitment from authors. A really good guy named Voxel makes firmware updates for the R9000 and R7800 that are continuously updated with the open-source components that Netgear no longer bothers to update, so if you have either of those, give his firmware a try.

https://www.voxel-firmware.com/Downloads/Voxe … html/index.html

At this point, an R7000 isn't good or safe for router usage, without a consistently updated third-party firmware, but you can certainly use it as an access-point/network switch/extender, which is what I do with older Netgear routers that are no longer firmware updated.

The file date for the latest firmware for the Netgear R7000 was from 1 Oct 2024, after which it was declared EOL. Has there been any critical security vulterabilities discovered since then? I don't know, but I do plan on pursuing alternate firmware options at some point and was considering FreshTomatao. I didn't see an R7000 option from Voxel. The hesitation for FreshTomato is the probability of bricking the router, and needing to re-add roughly 100 MAC addresses to the safe list. Ideally, the MAC address filter option would only be needed for WiFi devices, however my existing R7000 insists on having the filter for wired and wireless, or none at all. I have no idea if Fresh Tomato has this annoying restriction.

I'm also not sure if the latest FreshTomato firmware for the R7000 is newer than Oct 2024. Is it?
EDIT, apparently it is from March 2025: https://freshtomato.org/downloads/freshtomato … rm/2025/2025.2/

feipoa wrote on 2025-04-28, 01:02:

I tried to place the retro file server on my Ubuntu installation, by sharing a Samba folder called "retro". I enabled SMB v1 thr […]
Show full quote

I tried to place the retro file server on my Ubuntu installation, by sharing a Samba folder called "retro". I enabled SMB v1 thru v3 by editing /etc/samba/smb.conf with:

server min protocol = NT1
server max protocol = SMB3

while XP is able to view the existence of this folder, it would not let XP open or view the contents, likely for some security reasons. I quickly gave up on that by commenting out the above two lines. Ubuntu, however, is able to read/write to the XP share on the XP machine, just not the other way around. Not wanting to put any more time into this, I will leave the retro file share on the XP laptop, which is normally not powered on. It will be powered on if, for example, I want to grab some old driver files via ethernet on a Windows 3.11 machine. In which case, I manually transfer files to the XP laptop (from Ubuntu), then use Win 3.11 to grab these files from XP laptop. It is essentially the same as having the Netgear NAS, except that I don't keep this laptop powered until I need to use it.

For completeness, I will add that Windows 7 is still able to access the Netgear NAS and Windows 7 is still able to read/write to a shared folder on Ubuntu. This must be due to Win7 supporting SMB v2/3, whereas Win3.11 thru XP does not. I do not understanding why adding 'server min protocol = NT1' to smb.conf didn't work with XP, however.

Not familiar with Ubuntu but guess it's similar to Windows where you must have both a SMB client (allows access to files over network) and SMB server (allows other network computers access to this computers files) service enabled.

SMB2 was first introduced with Windows Vista
SMB1 would auto disable in Win10 1709 if not used after 15 days but can be reenabled even on the current version of Win11.

With all that said I also run a "retro server" in my case Server 2003 just makes life easy, and it's cool

chinny22 wrote on 2025-04-29, 01:25:

Not familiar with Ubuntu but guess it's similar to Windows where you must have both a SMB client (allows access to files over ne […]
Show full quote

Not familiar with Ubuntu but guess it's similar to Windows where you must have both a SMB client (allows access to files over network) and SMB server (allows other network computers access to this computers files) service enabled.

SMB2 was first introduced with Windows Vista
SMB1 would auto disable in Win10 1709 if not used after 15 days but can be reenabled even on the current version of Win11.

With all that said I also run a "retro server" in my case Server 2003 just makes life easy, and it's cool

Both client and server must be running because all other Linux computers on the network can read/write to Ubuntu's 'retro' shared folder. At any rate, I find it stressful and time consuming to circumvent Linux issues like this and am sticking with the XP retro server on my old laptop for now. Maybe when I update my router to Fresh Tomato, there will be an option to use SMB v1 on the NAS.

I guess you aren't concerned about hacking on your Windows Server 2003 system?

feipoa wrote on 2025-04-29, 02:37:

Both client and server must be running because all other Linux computers on the network can read/write to Ubuntu's 'retro' shared folder. At any rate, I find it stressful and time consuming to circumvent Linux issues like this and am sticking with the XP retro server on my old laptop for now. Maybe when I update my router to Fresh Tomato, there will be an option to use SMB v1 on the NAS.

I guess you aren't concerned about hacking on your Windows Server 2003 system?

Sorry should have been bit clearer, client and server specifically supporting SMB1 Win10 for example will disable the SMB1 client but SMB2 and above will still happily work.
But whatever we aren't trying to fix that!

I've almost always had some old computer running some old version of Windows server since the late 90's and it's never been hacked.
- If you're treating it like a NAS (That is just access shares from other computers, not logging into the server and doing stuff)
- Only turning it on when needed
- And it's sitting quietly behind your routers firewall

Then it's exposure to the outside world is very limited

Agree chinny ! In CVSS (Common Vulnerability Scoring System), an "Adjacent" attack vector (AV:A) means a vulnerability can be exploited by an attacker who is on the same physical or logical network as the target system. This implies the attacker needs to be in close proximity to the vulnerable system, either through shared network infrastructure or a nearby physical network. And: Adjacent (A) The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN to an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment.
Basically anyone who has granted access to any part of the network could possibly exploit this. One reason it is critical is because many small business have a guest type login (guest wifi) that would put them on part of the network that then could be exploited to gain full access. (copied from security exchange and others)
I do not think your home private network is at much risk of being exploited....

feipoa wrote on 2025-04-28, 01:02:

[...]
The file date for the latest firmware for the Netgear R7000 was from 1 Oct 2024, after which it was declared EOL. Has there been any critical security vulterabilities discovered since then?

Assume they will be.

This device is based on the ubiquitous Broadcom BCM4360, which was used in a very large portion routers in its day and the R7000 was one of the most sold devices in retail. Its firmware is basically Linux, which while basically secure by design is pretty complex and constantly probed for vulnerabilities - so its's a specific target now Netgear dropped the support after 11 years, just like its contemporary Windows 8.1.

I don't know, but I do plan on pursuing alternate firmware options at some point and was considering FreshTomatao. I didn't see an R7000 option from Voxel. The hesitation for FreshTomato is the probability of bricking the router, and needing to re-add roughly 100 MAC addresses to the safe list. Ideally, the MAC address filter option would only be needed for WiFi devices, however my existing R7000 insists on having the filter for wired and wireless, or none at all. I have no idea if Fresh Tomato has this annoying restriction.

I'm also not sure if the latest FreshTomato firmware for the R7000 is newer than Oct 2024. Is it?
EDIT, apparently it is from March 2025: https://freshtomato.org/downloads/freshtomato … rm/2025/2025.2/

The important thing isn't that the firmware is newer, it's that it's in active support so if something bad comes along it will get fixed.

Potential bricking is an issue with any firmware-based stuff, but there are bootblock recovery procedures if things go wrong. And worst-case we're talking about a very common now 12 year old device that you can pick up for EUR 10 (multiple sellers here locally for that price), so it's not like you'll be madly out of pocket or have broken something unique.

FWIW I'd agree with other posters saying you should keep your router as secure as possible and if you want to run old insecure protocols like SMBv1, don't do that on the router, do it on some device on the LAN instead.

I had been running v1.0.11.134 (Feb 2022) for 3 years, which was vulnerable to the "pre-authentication buffer overflow" vulnerability. Maybe I'm already hacked.

I do find it curious that my router isn't letting me change the router password under Advanced/Administration/Set Password. It returns an error "400 Bad Request: This server does not support the operation requested by your client." I tried downgrading the firmware, but still could not change password. I put the newest firmware back on, but still receive the same error. Posted to Netgear forum, no help there.

It does look like Fresh Tomato is still supporting R7000. Just need to coordinate a time with the whole family when we can go offline for a day.

How do you keep keep the XP retro server on the LAN with SMB v1, but ensure it doesn't connect to the internet?

feipoa wrote on 2025-04-29, 08:53:

How do you keep keep the XP retro server on the LAN with SMB v1, but ensure it doesn't connect to the internet?

"Proper way"
Set rules in your router's firewall blocking the servers IP address to the outside world

"cheat way"
On the server itself give it the wrong gateway address, eg 127.0.0.1

"my way"
I live dangerously and don't do anything so technically it CAN get out on the internet. I just don't encourage it by installing loads of software trying to run updates, browsing, etc

Thanks!

chinny22 wrote on 2025-04-30, 03:09:

"Proper way"
Set rules in your router's firewall blocking the servers IP address to the outside world

Ok, so we would need to set a static IP on the retro server, then add this LAN IP to the block list on the router. Have you tried this before? The retro server can still access other computers on the LAN?

chinny22 wrote on 2025-04-30, 03:09:

"cheat way"
On the server itself give it the wrong gateway address, eg 127.0.0.1

Ahh, I've never tried this before. This doesn't auto correct? From my recollection, if we leave gateway blank, Internet still works.

chinny22 wrote on 2025-04-30, 03:09:

"my way"
I live dangerously and don't do anything so technically it CAN get out on the internet. I just don't encourage it by installing loads of software trying to run updates, browsing, etc

This is what I've been doing all along. I like to force my ancient computers onto a web browser some brief tests.

feipoa wrote on 2025-04-30, 04:42:

Ok, so we would need to set a static IP on the retro server, then add this LAN IP to the block list on the router. Have you tried this before? The retro server can still access other computers on the LAN?

Quite common to do this at work, never really had the need at home. Nothing will be blocked on the LAN side of your network.
I'm not familiar with this netgrear router but quick google of "r6700 block pc to internet" brings up the following.
Looks like it's done with MAC address so you dont even need to assign a static IP!

Access the router's web interface: Open a web browser and go to routerlogin.net or your router's IP address (usually 192.168.1.1 or 192.168.0.1).
Log in: Enter your router's username and password
Navigate to Access Control: Go to ADVANCED > Security > Access Control.
Enable Access Control: Check the box to "Turn on Access Control".
Select the appropriate radio button: Choose "Allow all new devices from connecting". (I changed this from the google result which said block all new)
Add the device's MAC address to the blocked list: Find the blocked devices list and add the MAC address of the PC you want to block.
Apply the settings: Save the changes and ensure the access control is enabled.

feipoa wrote on 2025-04-30, 04:42:

Thanks!
Ahh, I've never tried this before. This doesn't auto correct? From my recollection, if we leave gateway blank, Internet still works.

Not sure if you leave it blank, maybe it grabs it from DHCP? Never tried. Setting it to something obvious 127.0.0.1 (loopback IP) just makes it obvious to me why internet isn't working when I forget what I did 6 months ago!

feipoa wrote on 2025-04-30, 04:42:

This is what I've been doing all along. I like to force my ancient computers onto a web browser some brief tests.

Same, I don't know why but sometimes I just miss Netscape 3 or IE 6 so quick browse few times of year isn't going to hurt. especially as internet is pretty broken on those browsers anyway, so quick browse is all I do.

Things are somehow complicated for you...
https://firmware-selector.openwrt.org/?versio … d=netgear_r7000

And then the usual Linux in the console for freaks, or Firewall in the WEB interface.

'For freaks' he says, when industry san appliances are very frequently controlled this way, as are enterprise firewalls, fabric switches, and routers.....

wierd_w wrote on 2025-04-30, 13:59:

'For freaks' he says, when industry san appliances are very frequently controlled this way, as are enterprise firewalls, fabric switches, and routers.....

I'm definitely not ready to argue which is cooler, Aruba or Ruckus.
Cisco occupies an honorable third place in Wi-Fi networks, but specialists in this equipment are a very specific caste.
Although SOHO love Ubiquiti and Mikrotik.
Although Mikrotik had an interesting proprietary protocol with TDM over Wi-Fi.

This console of yours is complicated and incomprehensible. 🙁

PS. If your router has enough CPU and memory + USB port, you can set up a SAMBA server directly on it. OpenWRT allows you to do this in a few clicks.