A small concise update: I *really* have no idea what is the cause of the problem.
The long story: (1) Yes, forwarding is correctly set, as far as I can tell. I tried also with exposing the host completely (an option in FRITZ!Box) and nothing changes, so I tend to assume forwarding works. All tools on the internet checking if a port is open tell that 445 is closed, but I believe they cannot distinguish whether the ISP closed it, the router did not forward it, or the service on the destination host is broken. In other words, I do not think they help much debugging. (2) I believe the SMB/CIFS server works fine, for I can connect from the home network both by host name and by internal IP without any difficulty. Besides, it has always worked from the internet for years before the change in the Swisscom contract (but I do not use it very often, so I cannot correlate with certainty the two events). (3) I have another server at home with some open SMB/CIFS shares. It has a completely different and much more recent version of Linux and Samba and, in some respects, I think its configuration is much more straightforward (read: there is less likelyhood of stupid sneaky errors on my side). I have opened 445 and the other SMB/CIFS ports in the router toward that newer host and the behaviour is *exactly* the same. (4) This would seem enough for me to blame Swisscom, but for one experiment: I tried the undocumented FRITZ!Box feature to capture all packets before and after the router and used Wireshark to look at the traffic. Let me say upfront that I am too ignorant to really know what is happening but the exchanges to the SMB/CIFS host from a local host and from a remote host (via internet) look quite different and, even at the packet level, it is clear that the former succeed while the latter exchange somehow get screwed. Again, I do not understand enough to tell what is going on, but what puzzled me is that I see coming from Internet some packets to port 445 and, of course, they are correctly forwarded. Unfortunately, they do not seem the same that come (while performing the very same operations) from the local host. One wild theory that I have is that Swisscom does sends through some 445 packets but corrupted in some way or replaced with some other stuff. Is this possible? Or is anything else failing? I have no idea.
The conclusion: due to the problem, I read a bit around about the SMB/CIFS security concerns and, although I really have nothing much confidential or valuable on the share, I decided that it is still a better idea to rely on SFTP and forget SMB/CIFS on the internet. I find it marginally less comfortable, but....
But, for the record, I am not sure that Swisscom treats packets to port 445 transparently as it should. Something iffy on their side remains the most plausible explanation of the problem in my mind.
