[ previous ] [ next ] [ threads ]
 
 From:  "Zadikem, Travis-taz" <tzadikem at picosecond dot com>
 To:  "Mitch \(WebCob\)" <mitch at webcob dot com>, "Brian Buys" <bbuys at tritel dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] NetBIOS Resolution over IPSEC/PPTP
 Date:  Mon, 28 Jun 2004 11:27:43 -0600
Was browsing this list because of a simlar problem with resolution and PPTP and
thought I would add to the thoughts on this.

I use Windows 2000 with Active Directory
in a mixed domain and can do an export from the Wins server, but there
would be a problem with the DHCP clients, I believe?  A lot
of domains running Windows 2000 as a PDC are using DHCP nowadays.

Travis

-----Original Message-----
From: Mitch (WebCob) [mailto:mitch at webcob dot com]
Sent: Monday, June 28, 2004 11:11 AM
To: Brian Buys; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] NetBIOS Resolution over IPSEC/PPTP


Interesting idea...

I know we are wandering off topic here, but I wonder if you couldn't somehow
export a browse list from the browsemaster on site (maybe if it was samba?)
and then format a lmhosts file - this could be downloaded, installed and
refreshed by a batch file in windows... would sidestep the whole broadcast
issue.

m/

> -----Original Message-----
> From: Brian Buys [mailto:bbuys at tritel dot com]
> Sent: Monday, June 28, 2004 9:47 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] NetBIOS Resolution over IPSEC/PPTP
>
>
> For Windows clients, I use a quick-and-dirty workaround for browsing over
> the VPN.  I created a copy of lmhosts which has the machine addresses and
> netbios names listed using the #PRE tag, and I distributed this
> file to each
> pc that was going to be used off-site.  Then, when a VPN connection is
> established, simply use "nbtstat -R" to reload the lmhosts file and you're
> good to go.
>
> Obviously, if you are in a large network, it could be a pain to build a
> manual list like that, but most of the time, it is only a handful of
> computers that you are trying to browse, and keeping a "master"
> file around
> allows the clients to be updated more easily should you modify it.
>
> Brian
>
> ----- Original Message -----
> From: "Mitch (WebCob)" <mitch at webcob dot com>
> To: "Fred Wright" <fw at well dot com>; <m0n0wall at lists dot m0n0 dot ch>
> Sent: Sunday, June 27, 2004 9:47 PM
> Subject: RE: [m0n0wall] NetBIOS Resolution over IPSEC/PPTP
>
>
> > Hey Fred
> >
> > > On Thu, 24 Jun 2004, Mitch (WebCob) wrote:
> > > >
> > > > I wonder if that doesn't exist already (nmbd from samba?) or if
> > > it couldn't
> > > > be added as a configurable module - SMB Network Browse Master -
> > > not a samba
> > > > server, but just the name browser functionality - configured to
> > > peer with
> > > > selective vpn endpoints - would solve things wouldn't it?
> > >
> > > Samba's nmbd is sufficient for WINS service but not browsing.  The
> latter
> > > is based on SMB datagram service, which is provided by smbd, not
> > > nmbd.  And even nmbd isn't exactly tiny.
> >
> > The notes on openvpn.org indicate that browsing is supported by a wins
> > server (see faw below) but I don't know, and haven't tried it - I'm not
> > arguing with you... still, that could de done as well, set up smbd as a
> > master browser, and link to another at the other side of the tunnel.
> >
> > > On Sun, 27 Jun 2004, Mitch (WebCob) wrote:
> > >
> > > > This is a problem with netbios broadcast packets not being
> > > passed over the
> > > > VPN.
> > > >
> > > > There has been some discussion about a module for openvpn,
> > > which might help,
> > > > and also running nmbd from samba on both sides of the link and
> > > configuring
> > > > them to communicate somehow?
> > >
> > > I don't see how the type of VPN would affect this, unless
> OpenVPN *also*
> > > includes some extra stuff for NetBIOS over and above the VPN
> capability.
> >
> > From http://openvpn.sourceforge.net/faq.html
> >
> > ...This allows OpenVPN to route ethernet broadcasts and non-IP protocols
> > such as Windows NetBios over the VPN. ...
> >
> > Bridging advantages
> >
> > Broadcasts traverse the VPN -- this allows software that depends on LAN
> > broadcasts such as Windows NetBIOS file sharing and network neighborhood
> > browsing to work.
> >
> > Routing disadvantages
> >
> > Clients must use a WINS server (such as samba) to allow
> cross-VPN network
> > browsing to work.
> >
> > >
> > > > Haven't seen a solution.
> > > >
> > > > Netgears and Linksys etc do it by allowing netbiod
> broadcast packets.
> > > > apparently this can't be done in freebsd.
> > >
> > > Subnet broadcasts can only target one subnet, so routing them between
> two
> > > subnets and having them appear as broadcasts on both is just
> > > plain wrong.
> >
> > Again, I don't know better and won't argue with you, but it
> works. That's
> > what the end user cares about regardless of the semantics of
> implementation.
> >
> > > It's legitimate to route a subnet broadcast *to* its
> destination subnet,
> > > but it would appear as a link-level unicast in any earlier hops.  I do
> > > recall something about FreeBSD's being unwilling to handle the latter
> > > case, but I don't know if that can be changed by kernel option or by
> > > sysctl.  I'd rather see them *not* blocked at that level,
> since one can
> > > always block them in the filter if desired.
> >
> > Agreed, but I've heard many say it can't be... on the openvpn site there
> is
> > comment of a difference between a tun and a tap device... not
> sure if that
> > is the crux of the matter or not.
> >
> > m/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch