[LARTC] Help with gre tunneling

[LARTC] Help with gre tunneling

[glynn]

[-- Attachment #1: Type: text/plain, Size: 147 bytes --]

Hello everyone. is it possible to browse the network neigborhood if i tunnel to a remote site ? if its possible how? 



Best regards,
Glynn

[-- Attachment #2: Type: text/html, Size: 689 bytes --]

RE: [LARTC] Help with gre tunneling

[Greg Scott]

[-- Attachment #1: Type: text/plain, Size: 2524 bytes --]

The short answer would be yes, but there are lots and lots of details.  
 
Now that your GRE tunnel is up and running, switch your thinking to
look at it from Windows' point of view.  From Windows' point of view,
the GRE tunnel is really a router.  So you have LAN A connected to
a router, across a WAN, to LAN B.  Your Windows PCs have no
clue that there is a GRE tunnel in-between.  All they know is, their
default gateway is the internal IP address of the firewall/router you
set up.  Well, maybe not their default gateway, but at least they 
have a route to the LAN on the other side of the tunnel.
 
So what do we need with Windows so that PCs in LAN A can
browse (Network Neighborhood) shares offered by computers in
LAN B?  Assuming Windows 9x, we need a way for NetBIOS name 
resolution that doesn't depend on broadcasts, so that means you'll 
need a WINS server in both LAN A and LAN B.  You'll want to set 
up the WINS servers as push/pull replication partners so they both 
have up to date copies of which systems are where.  And you'll need
to set up your PCs as NBT node type 8 (I think).  This is the hybrid,
where PCs first try to resolve names by asking a WINs server and then
try a broadcast if that doesn't work.  
 
You could also use local lmhosts files for NetBIOS name resolution,
but let's not even go there.
 
If you have a Win2000 domain and all Win2000 clients, then the rules
are different.  In this case, you'll need DNS servers instead of WINS
servers.  
 
Conceptually, the point is, you need some way to do name resolution
on both ends of your tunnel to make this work.  
 
You will want to set up some kind of Win NT or Win 2000 domain 
structure that makes sense, or you will want some kind of 
workgroup structure that makes sense.  So let's say the PCs in
LAN A are all members of a workgroup named LANAWG.  If you
make a PC in LAN B a member of the LANAWG workgroup, and
you have name resolution that works, then that LAN B PC should
be able to browse its Network Neighborhood and see the shares
offered by PCs in the LANAWG workgroup, no matter which side
of the tunnel they are on.
 
This all assumes that the Windows PCs do their jobs properly.
 
- Greg Scott
 
 

-----Original Message-----
From: glynn [mailto:glynn@itextron.com]
Sent: Friday, January 25, 2002 4:07 AM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Help with gre tunneling


Hello everyone. is it possible to browse the network neigborhood if i tunnel
to a remote site ? if its possible how? 
 
 
 
Best regards,
Glynn


[-- Attachment #2: Type: text/html, Size: 8332 bytes --]

Re: [LARTC] Help with gre tunneling

[glynn]

[-- Attachment #1: Type: text/plain, Size: 3205 bytes --]

Do i really need to setup wins server in both sides? and if i configure one of my windows 98 pc how do make it as a push and pull replication? and how about nbt node type 8? do you think if i set up dns server it will work? what should be the best and easy way to have a name resolution on both ends of the tunnel?


Best Regards,
Glynn

----- Original Message ----- 
  From: Greg Scott 
  To: 'glynn' ; lartc@mailman.ds9a.nl 
  Sent: Friday, January 25, 2002 8:10 PM
  Subject: RE: [LARTC] Help with gre tunneling


  The short answer would be yes, but there are lots and lots of details.  

  Now that your GRE tunnel is up and running, switch your thinking to
  look at it from Windows' point of view.  From Windows' point of view,
  the GRE tunnel is really a router.  So you have LAN A connected to
  a router, across a WAN, to LAN B.  Your Windows PCs have no
  clue that there is a GRE tunnel in-between.  All they know is, their
  default gateway is the internal IP address of the firewall/router you
  set up.  Well, maybe not their default gateway, but at least they 
  have a route to the LAN on the other side of the tunnel.

  So what do we need with Windows so that PCs in LAN A can
  browse (Network Neighborhood) shares offered by computers in
  LAN B?  Assuming Windows 9x, we need a way for NetBIOS name 
  resolution that doesn't depend on broadcasts, so that means you'll 
  need a WINS server in both LAN A and LAN B.  You'll want to set 
  up the WINS servers as push/pull replication partners so they both 
  have up to date copies of which systems are where.  And you'll need
  to set up your PCs as NBT node type 8 (I think).  This is the hybrid,
  where PCs first try to resolve names by asking a WINs server and then
  try a broadcast if that doesn't work.  

  You could also use local lmhosts files for NetBIOS name resolution,
  but let's not even go there.

  If you have a Win2000 domain and all Win2000 clients, then the rules
  are different.  In this case, you'll need DNS servers instead of WINS
  servers.  

  Conceptually, the point is, you need some way to do name resolution
  on both ends of your tunnel to make this work.  

  You will want to set up some kind of Win NT or Win 2000 domain 
  structure that makes sense, or you will want some kind of 
  workgroup structure that makes sense.  So let's say the PCs in
  LAN A are all members of a workgroup named LANAWG.  If you
  make a PC in LAN B a member of the LANAWG workgroup, and
  you have name resolution that works, then that LAN B PC should
  be able to browse its Network Neighborhood and see the shares
  offered by PCs in the LANAWG workgroup, no matter which side
  of the tunnel they are on.

  This all assumes that the Windows PCs do their jobs properly.

  - Greg Scott


    -----Original Message-----
    From: glynn [mailto:glynn@itextron.com]
    Sent: Friday, January 25, 2002 4:07 AM
    To: lartc@mailman.ds9a.nl
    Subject: [LARTC] Help with gre tunneling


    Hello everyone. is it possible to browse the network neigborhood if i tunnel to a remote site ? if its possible how? 



    Best regards,
    Glynn

[-- Attachment #2: Type: text/html, Size: 10208 bytes --]

RE: [LARTC] Help with gre tunneling

[Greg Scott]

[-- Attachment #1: Type: text/plain, Size: 4437 bytes --]

It depends on what is on each end of the tunnel.  If you only have Win9x
desktops on one end, then you should not need WINS servers there.  In this
case, have the WINS server on the end with a server and point the outlying
systems to use this WINS server.   WINS only runs on Windows NT or 2000
server.  I do not know of any WINS server software that runs on Win9x.  
 
If only Win9x systems on both ends, then you could use some kind of lmhosts
file and keep the up to date copy on each system.
 
In a completely non routed LAN, you would not need a WINS server because
everyone could resolve NetBIOS names by broadcasts.  But broadcasts won't
carry across your VPN because your VPN systems are also routers.  
 
DNS won't completely do the job with Win9x clients because the clients need
to know who is offering the NetBIOS services they need.  That's why you see
so many WINS entries for every resolution - it does more than resolve host
names, it also resolves who is providing what NetBIOS services.  
 
So the total answer depends on what kind of servers and clients you have and
where they are.
 
- Greg
 

-----Original Message-----
From: glynn [mailto:glynn@itextron.com]
Sent: Wednesday, January 30, 2002 2:43 AM
To: Greg Scott
Cc: tunneling
Subject: Re: [LARTC] Help with gre tunneling


Do i really need to setup wins server in both sides? and if i configure one
of my windows 98 pc how do make it as a push and pull replication? and how
about nbt node type 8? do you think if i set up dns server it will work?
what should be the best and easy way to have a name resolution on both ends
of the tunnel?
 
 
Best Regards,
Glynn
 
----- Original Message ----- 

From: Greg Scott <mailto:GregScott@InfraSupportEtc.com>  
To: 'glynn' <mailto:glynn@itextron.com>  ; lartc@mailman.ds9a.nl
<mailto:lartc@mailman.ds9a.nl>  
Sent: Friday, January 25, 2002 8:10 PM
Subject: RE: [LARTC] Help with gre tunneling

The short answer would be yes, but there are lots and lots of details.  
 
Now that your GRE tunnel is up and running, switch your thinking to
look at it from Windows' point of view.  From Windows' point of view,
the GRE tunnel is really a router.  So you have LAN A connected to
a router, across a WAN, to LAN B.  Your Windows PCs have no
clue that there is a GRE tunnel in-between.  All they know is, their
default gateway is the internal IP address of the firewall/router you
set up.  Well, maybe not their default gateway, but at least they 
have a route to the LAN on the other side of the tunnel.
 
So what do we need with Windows so that PCs in LAN A can
browse (Network Neighborhood) shares offered by computers in
LAN B?  Assuming Windows 9x, we need a way for NetBIOS name 
resolution that doesn't depend on broadcasts, so that means you'll 
need a WINS server in both LAN A and LAN B.  You'll want to set 
up the WINS servers as push/pull replication partners so they both 
have up to date copies of which systems are where.  And you'll need
to set up your PCs as NBT node type 8 (I think).  This is the hybrid,
where PCs first try to resolve names by asking a WINs server and then
try a broadcast if that doesn't work.  

 
You could also use local lmhosts files for NetBIOS name resolution,
but let's not even go there.
 
If you have a Win2000 domain and all Win2000 clients, then the rules
are different.  In this case, you'll need DNS servers instead of WINS
servers.  
 
Conceptually, the point is, you need some way to do name resolution
on both ends of your tunnel to make this work.  
 
You will want to set up some kind of Win NT or Win 2000 domain 
structure that makes sense, or you will want some kind of 
workgroup structure that makes sense.  So let's say the PCs in
LAN A are all members of a workgroup named LANAWG.  If you
make a PC in LAN B a member of the LANAWG workgroup, and
you have name resolution that works, then that LAN B PC should
be able to browse its Network Neighborhood and see the shares
offered by PCs in the LANAWG workgroup, no matter which side
of the tunnel they are on.
 
This all assumes that the Windows PCs do their jobs properly.
 
- Greg Scott
 
 

-----Original Message-----
From: glynn [mailto:glynn@itextron.com]
Sent: Friday, January 25, 2002 4:07 AM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Help with gre tunneling


Hello everyone. is it possible to browse the network neigborhood if i tunnel
to a remote site ? if its possible how? 
 
 
 
Best regards,
Glynn


[-- Attachment #2: Type: text/html, Size: 13224 bytes --]

[LARTC] Help with GRE Tunneling

[Glynn S. Condez]

[-- Attachment #1: Type: text/plain, Size: 1379 bytes --]

hello everyone, I have a working pptp vpn ( gre tunneling ). I setup samba server on both linux server, in network A, i could see the network neighborhood with samba but i couldnt see the network of the otherside but I could open the samba server in Network B and also the workstation using \\networkB\share. I'd like to ask if its possible that im going to use the same subnet of the network B, so that both Network A and Network B are in the same subnet. Here is my config in pptp vpn on both networks. if its possible can anyone correct the config?

#Network A
/sbin/echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ
/sbin/ipchains -A forward -s 192.168.2.0/24 -j MASQ

/sbin/insmod ip_gre
/sbin/ip tunnel add alas mode gre remote x.x.x.x local y.y.y.y ttl 255
/sbin/ip link set netb up
/sbin/ip addr add 192.168.1.1 dev netb
/sbin/ip route add 192.168.2.0/24 dev netb
------------------------------------------------------------------------------
#Network B
/sbin/echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -A forward -s 192.168.2.0/24 -j MASQ
/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ

/sbin/insmod ip_gre
/sbin/ip tunnel add text mode gre remote y.y.y.y local x.x.x.x ttl 255
/sbin/ip link set neta up
/sbin/ip addr add 192.168.2.1 dev neta
/sbin/ip route add 192.168.1.0/24 dev neta



[-- Attachment #2: Type: text/html, Size: 2249 bytes --]

Re: [LARTC] Help with GRE Tunneling

[bert hubert]

On Wed, Feb 13, 2002 at 10:25:55AM +0800, Glynn S. Condez wrote:

> hello everyone, I have a working pptp vpn ( gre tunneling ). I setup samba
> server on both linux server, in network A, i could see the network
> neighborhood with samba but i couldnt see the network of the otherside but
> I could open the samba server in Network B and also the workstation using
> \\networkB\share. I'd like to ask if its possible that im going to use the
> same subnet of the network B, so that both Network A and Network B are in
> the same subnet. Here is my config in pptp vpn on both networks. if its
> possible can anyone correct the config?

Could you use a mailer that does not send out thousand character lines? You
are supposed to wrap lines after ~75 characters on the internet. But
returning to the question, yes, you can perform tricks to create a tunnel
within the same subnet. 

This is done with proxy arp, which tells the router on Network A about which
hosts live on Network B. Network A will then think the router contains
Network B - no explicit routes are needed.

I *think* this will do what you want but I'd advise against it. There are
SMB proxy servers available which can help you browse over network borders.
Those are probably the right solution.

Regards,

bert

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
http://www.tk                              the dot in .tk
Netherlabs BV / Rent-a-Nerd.nl           - Nerd Available -
Linux Advanced Routing & Traffic Control: http://ds9a.nl/lartc
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Help with GRE Tunneling

[Glynn S. Condez]

[-- Attachment #1: Type: text/plain, Size: 2243 bytes --]

Hello Bert, I understand about your solution but I dunno how to do it using
proxy arp. :( Bert can you help me how to do it? I will attach my config
file to this email and can you edit it and send it back to me? I really
badly need to work.


Thanks,
glynn

----- Original Message -----
From: "bert hubert" <ahu@ds9a.nl>
To: "Glynn S. Condez" <glynn@itextron.com>
Cc: <lartc@mailman.ds9a.nl>
Sent: Wednesday, February 13, 2002 3:59 PM
Subject: Re: [LARTC] Help with GRE Tunneling


> On Wed, Feb 13, 2002 at 10:25:55AM +0800, Glynn S. Condez wrote:
>
> > hello everyone, I have a working pptp vpn ( gre tunneling ). I setup
samba
> > server on both linux server, in network A, i could see the network
> > neighborhood with samba but i couldnt see the network of the otherside
but
> > I could open the samba server in Network B and also the workstation
using
> > \\networkB\share. I'd like to ask if its possible that im going to use
the
> > same subnet of the network B, so that both Network A and Network B are
in
> > the same subnet. Here is my config in pptp vpn on both networks. if its
> > possible can anyone correct the config?
>
> Could you use a mailer that does not send out thousand character lines?
You
> are supposed to wrap lines after ~75 characters on the internet. But
> returning to the question, yes, you can perform tricks to create a tunnel
> within the same subnet.
>
> This is done with proxy arp, which tells the router on Network A about
which
> hosts live on Network B. Network A will then think the router contains
> Network B - no explicit routes are needed.
>
> I *think* this will do what you want but I'd advise against it. There are
> SMB proxy servers available which can help you browse over network
borders.
> Those are probably the right solution.
>
> Regards,
>
> bert
>
> --
> http://www.PowerDNS.com          Versatile DNS Software & Services
> http://www.tk                              the dot in .tk
> Netherlabs BV / Rent-a-Nerd.nl           - Nerd Available -
> Linux Advanced Routing & Traffic Control: http://ds9a.nl/lartc
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/lartc/
>

[-- Attachment #2: vpnconfig.txt --]
[-- Type: text/plain, Size: 822 bytes --]

#Network A
/sbin/echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ
/sbin/ipchains -A forward -s 192.168.2.0/24 -j MASQ
 
/sbin/insmod ip_gre
/sbin/ip tunnel add alas mode gre remote x.x.x.x local y.y.y.y ttl 255
/sbin/ip link set netb up
/sbin/ip addr add 192.168.1.1 dev netb
/sbin/ip route add 192.168.2.0/24 dev netb
------------------------------------------------------------------------------
#Network B
/sbin/echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -A forward -s 192.168.2.0/24 -j MASQ
/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ
 
/sbin/insmod ip_gre
/sbin/ip tunnel add text mode gre remote y.y.y.y local x.x.x.x ttl 255
/sbin/ip link set neta up
/sbin/ip addr add 192.168.2.1 dev neta
/sbin/ip route add 192.168.1.0/24 dev neta