NetBIOS browsing across subnets

NetBIOS browsing across subnets

[John Jones]

I have a need to allow NetBIOS/Network Neighborhood browsing across a
firewall between one internal LAN segment (192.168.0.0/23) to another
(192.168.10.0/24).  The two networks are on interfaces eth2 and eth3,
respectively, off of the corporate firewall.

The two segments of the LAN were seperated due to broadcast flooding
during video streaming development work by a dev team.

I have the majority of the instructions down, I *think*:

   iptables -t nat -I PREROUTING 1 -i eth2 -p tcp -d 192.168.0.1 --dport
139 -j DNAT --to 192.168.10.1:139
   iptables -I FORWARD 6 -i eth2 -o eth3 -p tcp -d 192.168.10.1 --dport
139 -j ACCEPT

   iptables -t nat -I PREROUTING 1 -i eth3 -p tcp -d 192.168.10.1
--dport 139 -j DNAT --to 192.168.0.1:139
   iptables -I FORWARD 6 -i eth2 -o eth2 -p tcp -d 192.168.0.1 --dport
139 -j ACCEPT

Not sure if this should be Destination NAT or Source NAT.  I would like
advice and/or corrections from anyone out there that has a better
knowledge of this, first.

Thanks in advance.

Re: NetBIOS browsing across subnets

[Antony Stone]

On Thursday 04 July 2002 9:44 pm, John Jones wrote:

> I have a need to allow NetBIOS/Network Neighborhood browsing across a
> firewall between one internal LAN segment (192.168.0.0/23) to another
> (192.168.10.0/24).  The two networks are on interfaces eth2 and eth3,
> respectively, off of the corporate firewall.

As far as I am aware you cannot do Network Neighbourhood browsing across a 
router - it works by using broadcast packets, so unless you bridge your 
networks together you will not be able to browse one side from the other.

You can certainly make Windows / SMB / NetBios connections from one network 
to another, but only if you know in advance the IP address/es of the 
machine/s you want to connect to.

If anyone knows a way of supporting Windows browsing across a router, please 
speak up :-)

 

Antony.

RE: NetBIOS browsing across subnets

[Stewart Thompson]

Antony:

	This subject came up on the list previously. There was a link
to a Microsoft Article addressing it. Perhaps if he looked through the
archives he might find it.


Stu......


-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Antony Stone
Sent: July 4, 2002 1:46 PM
To: netfilter@lists.samba.org
Subject: Re: NetBIOS browsing across subnets

On Thursday 04 July 2002 9:44 pm, John Jones wrote:

> I have a need to allow NetBIOS/Network Neighborhood browsing across a
> firewall between one internal LAN segment (192.168.0.0/23) to another
> (192.168.10.0/24).  The two networks are on interfaces eth2 and eth3,
> respectively, off of the corporate firewall.

As far as I am aware you cannot do Network Neighbourhood browsing across a
router - it works by using broadcast packets, so unless you bridge your
networks together you will not be able to browse one side from the other.

You can certainly make Windows / SMB / NetBios connections from one network
to another, but only if you know in advance the IP address/es of the
machine/s you want to connect to.

If anyone knows a way of supporting Windows browsing across a router, please
speak up :-)



Antony.

RE: NetBIOS browsing across subnets

[George Vieira]

Best put a Samba server on the firewall and broadcast to both networks using
the `remote announce =` option..
Make this machine the master browser for both networks and you should be
fine, I do with with VPN users and it works like a dream until you put a PDC
into the network which continously complains and wants to be the master.. he
he.. linux beats it hands down on every election..

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au



-----Original Message-----
From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk]
Sent: Friday, 05 July 2002 6:46 AM
To: netfilter@lists.samba.org
Subject: Re: NetBIOS browsing across subnets


On Thursday 04 July 2002 9:44 pm, John Jones wrote:

> I have a need to allow NetBIOS/Network Neighborhood browsing across a
> firewall between one internal LAN segment (192.168.0.0/23) to another
> (192.168.10.0/24).  The two networks are on interfaces eth2 and eth3,
> respectively, off of the corporate firewall.

As far as I am aware you cannot do Network Neighbourhood browsing across a 
router - it works by using broadcast packets, so unless you bridge your 
networks together you will not be able to browse one side from the other.

You can certainly make Windows / SMB / NetBios connections from one network 
to another, but only if you know in advance the IP address/es of the 
machine/s you want to connect to.

If anyone knows a way of supporting Windows browsing across a router, please

speak up :-)

 

Antony.

Re: NetBIOS browsing across subnets

[Ron Gedye]

On Thursday 04 July 2002 15 46 r, you wrote:

>
> If anyone knows a way of supporting Windows browsing across a router,
> please speak up :-)
>

Netbios will not pass a router.  The only way to allow this type of browsing 
is to use a WINS Server.  There is a way to set up either a push or pull 
mechanism to share info between different netbios 'zones'. (although it's 
been a few years since I had no other choice than windows networking and 
don't remember the specifics)

Ron

RE: NetBIOS browsing across subnets

[George Vieira]

WINS will not help.. it's just to help resolution og hostnames.. but he
wants to see them in Network Neighbourhood and WINS won't do this..
It'll have to be Samba on the firewall with remote announcements like this:

remote announce = 192.168.1.255 192.168.2.255

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au



-----Original Message-----
From: Ron Gedye [mailto:rgedye@teleformix.com]
Sent: Friday, 05 July 2002 10:38 AM
To: netfilter@lists.samba.org
Subject: Re: NetBIOS browsing across subnets


On Thursday 04 July 2002 15 46 r, you wrote:

>
> If anyone knows a way of supporting Windows browsing across a router,
> please speak up :-)
>

Netbios will not pass a router.  The only way to allow this type of browsing

is to use a WINS Server.  There is a way to set up either a push or pull 
mechanism to share info between different netbios 'zones'. (although it's 
been a few years since I had no other choice than windows networking and 
don't remember the specifics)

Ron

RE: NetBIOS browsing across subnets

[George Vieira]

I'm sorry but NFS is no way a solution for this.. I've seen crashes on NFS
servers before many times and also when one server has a problem then the
other server goes into a panic attack.. sometimes even goes into 100%CPU as
I've seen before.. yes upgrade NFS if youmust but I still say samba as
master browser is the way to go as this works perfectly on my VPN
server/firewall without a hitch..

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au



-----Original Message-----
From: Michael [mailto:mutk@ozemail.com.au]
Sent: Friday, 05 July 2002 12:43 PM
To: netfilter@lists.samba.org
Subject: Re: NetBIOS browsing across subnets


There generally isn't a way to do it. NetBIOS is feeble, and non 
routeable...

One way around it, and it doesn't involve NetBIOS/samba on the firewall:

You need two Samba servers, one on each subnet. Export the filesystem to 
be shared from one Samba server to the other. This means that the 
firewall only has to allow NFS traffic from one SMB to the other. This 
way you don't compromise the firewall machine.. only the Samba servers 
by running NFS...



Cheers,
Michael

>
>
>-----Original Message-----
>From: Ron Gedye [mailto:rgedye@teleformix.com]
>Sent: Friday, 05 July 2002 10:38 AM
>To: netfilter@lists.samba.org
>Subject: Re: NetBIOS browsing across subnets
>
>
>On Thursday 04 July 2002 15 46 r, you wrote:
>
>>If anyone knows a way of supporting Windows browsing across a router,
>>please speak up :-)
>>

RE: NetBIOS browsing across subnets

[George Vieira]

OMG..What the..

so much trouble.. wasn't the original problem that they wanted to see each
others machine/shares off NN? I'm getting off track now and confused...

You don't need smbmount on the firewall.. it's just there to handle the
broadcast of machines on both networks and broadcasts to both networks like
a *yes* proxy server for Netbios.. BUT it must be the master browser.. 1
machine 1 solution, not 2 and transfering this and that,etc.. *shudders*...

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au



-----Original Message-----
From: Michael [mailto:mutk@ozemail.com.au]
Sent: Friday, 05 July 2002 1:22 PM
To: netfilter@lists.samba.org
Subject: Re: NetBIOS browsing across subnets


Yes, I did say you compromise the Samba servers by doing this.....

I have had similar problems, and most were fixed with upgrade NFS... 
Also, having filesystems mounted on demand and unmount at idle has 
minimised problems.

Ok, NFS will in future be *the* solution. Just that having Samba running 
on a firewall machine is erksome for many reasons..

Another solution, to avoid Samba on the firewall system having to write 
and read from the Host's filesystem is to yes, have Samba running on the 
firewall, but have a Samba server on each subnet.

Then just have the firewall host smbmount the two subnet's Samba 
server's shared filesystems. The firewall host then advertises the 
shared filesystem from one subnet on the other subnet..

BTW is there any such hing as a NetBIOS proxy server?? This will be ideal.

Cheers,
Michael

George Vieira wrote:

>I'm sorry but NFS is no way a solution for this.. I've seen crashes on NFS
>servers before many times and also when one server has a problem then the
>other server goes into a panic attack.. sometimes even goes into 100%CPU as
>I've seen before.. yes upgrade NFS if youmust but I still say samba as
>master browser is the way to go as this works perfectly on my VPN
>server/firewall without a hitch..
>
>thanks,
>George Vieira
>Systems Manager
>Citadel Computer Systems P/L
>http://www.citadelcomputer.com.au
>

Re: NetBIOS browsing across subnets

[Michael]

There generally isn't a way to do it. NetBIOS is feeble, and non 
routeable...

One way around it, and it doesn't involve NetBIOS/samba on the firewall:

You need two Samba servers, one on each subnet. Export the filesystem to 
be shared from one Samba server to the other. This means that the 
firewall only has to allow NFS traffic from one SMB to the other. This 
way you don't compromise the firewall machine.. only the Samba servers 
by running NFS...



Cheers,
Michael

>
>
>-----Original Message-----
>From: Ron Gedye [mailto:rgedye@teleformix.com]
>Sent: Friday, 05 July 2002 10:38 AM
>To: netfilter@lists.samba.org
>Subject: Re: NetBIOS browsing across subnets
>
>
>On Thursday 04 July 2002 15 46 r, you wrote:
>
>>If anyone knows a way of supporting Windows browsing across a router,
>>please speak up :-)
>>

Re: NetBIOS browsing across subnets

[Michael]

Yes, I did say you compromise the Samba servers by doing this.....

I have had similar problems, and most were fixed with upgrade NFS... 
Also, having filesystems mounted on demand and unmount at idle has 
minimised problems.

Ok, NFS will in future be *the* solution. Just that having Samba running 
on a firewall machine is erksome for many reasons..

Another solution, to avoid Samba on the firewall system having to write 
and read from the Host's filesystem is to yes, have Samba running on the 
firewall, but have a Samba server on each subnet.

Then just have the firewall host smbmount the two subnet's Samba 
server's shared filesystems. The firewall host then advertises the 
shared filesystem from one subnet on the other subnet..

BTW is there any such hing as a NetBIOS proxy server?? This will be ideal.

Cheers,
Michael

George Vieira wrote:

>I'm sorry but NFS is no way a solution for this.. I've seen crashes on NFS
>servers before many times and also when one server has a problem then the
>other server goes into a panic attack.. sometimes even goes into 100%CPU as
>I've seen before.. yes upgrade NFS if youmust but I still say samba as
>master browser is the way to go as this works perfectly on my VPN
>server/firewall without a hitch..
>
>thanks,
>George Vieira
>Systems Manager
>Citadel Computer Systems P/L
>http://www.citadelcomputer.com.au
>

RE: NetBIOS browsing across subnets

[Nathan Cassano]

A simple google search for "routing NetBIOS linux" reveals the
following.

Routing NetBIOS with Linux
http://www.linuxplanet.com/linuxplanet/tutorials/1159/1/

Re: NetBIOS browsing across subnets

[Adam D. Barratt]

Nathan Cassano wrote:

> A simple google search for "routing NetBIOS linux" reveals the
> following.
>
> Routing NetBIOS with Linux
> http://www.linuxplanet.com/linuxplanet/tutorials/1159/1/

In which the link to the most important bit (nbfw) is 404-compliant...

http://sourceforge.net/projects/nbfw/

Adam

Re: NetBIOS browsing across subnets

[Antony Stone]

Suppose you have two subnets 192.168.1.0/24 and 192.168.2.0/24 joined by a 
netfilter router, and you want to browse Windows NetBios shares on the 
192.168.2.0 subnet from a client machine on the 192.168.1.0 subnet.

Suppose you put the following rules on the router:

iptables -A PREROUTING -t nat -d 192.168.1.255 -j DNAT --to 192.168.2.255

iptables -A FORWARD -j ACCEPT

Would this forward a broadcast packet on the 192.168.1.0 network to the 
192.168.2.0 network ?   Presumably the reply to such a broadcast is sent back 
to the originating IP, so that would go back across the router perfectly okay.

If you needed to transfer broadcasts from both networks to each other you'd 
have to be a bit clever with the iptables rules, so as not to translate a 
packet and then immediately translate it straight back again, but it could 
still be done.

Unfortunately amongst all my Linux machines I don't have enough Windows 
computers here to try this idea out :-)   Maybe someone else can comment on 
it from experience, or try and tell us what happens ?

 

Antony.