[ previous ] [ next ] [ threads ]
 
 From:  "Brian Buys" <bbuys at tritel dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] NetBIOS Resolution over IPSEC/PPTP
 Date:  Mon, 28 Jun 2004 10:47:10 -0600
For Windows clients, I use a quick-and-dirty workaround for browsing over
the VPN.  I created a copy of lmhosts which has the machine addresses and
netbios names listed using the #PRE tag, and I distributed this file to each
pc that was going to be used off-site.  Then, when a VPN connection is
established, simply use "nbtstat -R" to reload the lmhosts file and you're
good to go.

Obviously, if you are in a large network, it could be a pain to build a
manual list like that, but most of the time, it is only a handful of
computers that you are trying to browse, and keeping a "master" file around
allows the clients to be updated more easily should you modify it.

Brian

----- Original Message ----- 
From: "Mitch (WebCob)" <mitch at webcob dot com>
To: "Fred Wright" <fw at well dot com>; <m0n0wall at lists dot m0n0 dot ch>
Sent: Sunday, June 27, 2004 9:47 PM
Subject: RE: [m0n0wall] NetBIOS Resolution over IPSEC/PPTP


> Hey Fred
>
> > On Thu, 24 Jun 2004, Mitch (WebCob) wrote:
> > >
> > > I wonder if that doesn't exist already (nmbd from samba?) or if
> > it couldn't
> > > be added as a configurable module - SMB Network Browse Master -
> > not a samba
> > > server, but just the name browser functionality - configured to
> > peer with
> > > selective vpn endpoints - would solve things wouldn't it?
> >
> > Samba's nmbd is sufficient for WINS service but not browsing.  The
latter
> > is based on SMB datagram service, which is provided by smbd, not
> > nmbd.  And even nmbd isn't exactly tiny.
>
> The notes on openvpn.org indicate that browsing is supported by a wins
> server (see faw below) but I don't know, and haven't tried it - I'm not
> arguing with you... still, that could de done as well, set up smbd as a
> master browser, and link to another at the other side of the tunnel.
>
> > On Sun, 27 Jun 2004, Mitch (WebCob) wrote:
> >
> > > This is a problem with netbios broadcast packets not being
> > passed over the
> > > VPN.
> > >
> > > There has been some discussion about a module for openvpn,
> > which might help,
> > > and also running nmbd from samba on both sides of the link and
> > configuring
> > > them to communicate somehow?
> >
> > I don't see how the type of VPN would affect this, unless OpenVPN *also*
> > includes some extra stuff for NetBIOS over and above the VPN capability.
>
> From http://openvpn.sourceforge.net/faq.html
>
> ...This allows OpenVPN to route ethernet broadcasts and non-IP protocols
> such as Windows NetBios over the VPN. ...
>
> Bridging advantages
>
> Broadcasts traverse the VPN -- this allows software that depends on LAN
> broadcasts such as Windows NetBIOS file sharing and network neighborhood
> browsing to work.
>
> Routing disadvantages
>
> Clients must use a WINS server (such as samba) to allow cross-VPN network
> browsing to work.
>
> >
> > > Haven't seen a solution.
> > >
> > > Netgears and Linksys etc do it by allowing netbiod broadcast packets.
> > > apparently this can't be done in freebsd.
> >
> > Subnet broadcasts can only target one subnet, so routing them between
two
> > subnets and having them appear as broadcasts on both is just
> > plain wrong.
>
> Again, I don't know better and won't argue with you, but it works. That's
> what the end user cares about regardless of the semantics of
implementation.
>
> > It's legitimate to route a subnet broadcast *to* its destination subnet,
> > but it would appear as a link-level unicast in any earlier hops.  I do
> > recall something about FreeBSD's being unwilling to handle the latter
> > case, but I don't know if that can be changed by kernel option or by
> > sysctl.  I'd rather see them *not* blocked at that level, since one can
> > always block them in the filter if desired.
>
> Agreed, but I've heard many say it can't be... on the openvpn site there
is
> comment of a difference between a tun and a tap device... not sure if that
> is the crux of the matter or not.
>
> m/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>