[BillingsLUG] WAN to WAN help question

Mike Berry madeinmontana at bresnan.net
Mon Jul 19 13:21:25 MDT 2010 

Dan, thanks again. Couple more questions, does setting the number of IP
addresses to just the number of devices help secure a network by not
allowing an outside unauthorized device the ability to get in? (Inconvenient
in large networks I know). This has been a practice of mine to enhance a
networks security.

 

And, do you have a suggestion for a router of the ones you listed? I don't
have much experience with any of them, and only a few Cisco, Netgear, and
Dlink.

 

  _____  

From: billingslug-bounces at billingslug.org
[mailto:billingslug-bounces at billingslug.org] On Behalf Of dan
Sent: Friday, July 16, 2010 23:27
To: Mailing list for the Billings Linux User Group
Subject: Re: [BillingsLUG] WAN to WAN help question

 

in-line

On Fri, Jul 16, 2010 at 11:13 PM, Mike Berry <madeinmontana at bresnan.net>
wrote:

Dan, thank you!!  That really helps getting it spelled out,(I've never seen
it written so well), I hope all that rattled off your head fast, so you
didn't have to take a lot of time writing it.

 

I have had to solve this problem myself :) I'm also a giant nerd :)

One last question?: Jumping to the last line, "recommended option": will
that still work if I want to use static IPs and limit the networks with a
limited number of IPs needed for workstations, printers, and necessary
devices?

 

Sure, I have personally moved away from statically assigning anything so I
always recommend DHCP.  I do put 'sticky' IP addresses on printers and other
utility devices.  I drop in an entry in DHCP for that MAC address so that it
still gets an IP via DHCP but gets the same one each time (and no other
device gets that IP either).  This is trivial in a cisco, pfsense, linux, or
windows DHCP server and helps manage devices easily. 

 

Again, thank you very much!

mb

 


  _____  


From: billingslug-bounces at billingslug.org
[mailto:billingslug-bounces at billingslug.org] On Behalf Of dan
Sent: Friday, July 16, 2010 12:32


To: Mailing list for the Billings Linux User Group
Subject: Re: [BillingsLUG] WAN to WAN help question

 

comments in-line

On Fri, Jul 16, 2010 at 11:17 AM, Mike Berry <madeinmontana at bresnan.net>
wrote:

Hello all, thank you very much for the quick replies.

The answers to Larrys questions are: no they don't share a broadcast domain,
and the wan is a VPN.

 

I can set up WINS on the server. But 

 

are you saying DON'T use VPN with those cisco models

Im saying that the cisco aka linksys models lack the ability to NAT netbios.
search for 'CBOS NetBIOS'.  If you move to a Cisco 8xx or 1xxx+ router you
get IOS which CAN NAT netbios.

pfsense, vyatta, untangle, linux with iptables, freebsd with pf, mikrotik
can all route netbios.

 

, instead use the pfsense or vyatta with ipsec?

its not the VPN type that is getting you, its the OS of the router.  just
get a better router

 

And, to clarify the "LMHOSTS file on each machine with every other machine",
(Add every other machine to each machines host file)?

 lmhosts file:

c:\windows\system32\drivers\etc\lhhost.sam

 

fill it just like a hosts file:

127.0.0.1   localhost

192.168.1.1 server1

192.168.0.5 fileserver2

 

You would need to put this on each machine that needed to access another
machine via the network neighborhood.  You need an entry for every machine.
This is essentially spoofing lanmanager lookups through netbios, working
around the issue of netbios being poorly routable.  A WINS server is
essentially a DNS server for LM data. 

 

NetBIOS = API to facilitate data exchange on a network, uses UDP and/or TCP
(sometimes IPX) and broadcasts to local broadcast address.

WINS = DNS for LANMANAGER Networks

LMHOST = hosts file to override entries in WINS server (or replace WINS if
you REALLY like manual host mappings.)

NetBIOS clients (aka Windows machines) have some capabilities that behave
kind of like AVAHI or Bonjour, where they can exchange data on the local
subnet by broadcasting.  This is why you can use Network Neighborhood on
local LANs, your computer broadcasts via NetBIOS and the other machines
repond to the broadcast.  Because NetBIOS operates by broadcasting on the
local subnet, it wont typically see or be seen by computers on another
subnet.  If you have an appropriate router, you can NAT the broadcast
between two subnets and the remote machines will respond to the broadcast to
their router and in turn their response will be NAT'd back.  Your client
will register in WINS *if* it is assigned a WINS server via DHCP or
manually.  Have no delusions, this is a HACK.

 

By using WINS, you can add a DNS type lookup where the client (Network
Neighborhood) asks the WINS server over TCP for all other WINS clients,
skipping the need to broadcast.  You can still have an issue here with NAT
because even though your client knows where the WINS server is, if it is on
another subnet your router will need to know how to NAT netbios so that you
can communicate with the WINS server in the first place.

 

 

 

Your best option in my opinion is to replace the routers with something that
can NAT netbios.  Install WINS on the server and setup DHCP to hand out the
WINS server. 

  

 

 

Thanks again, it already makes better sense, but also confirms my thoughts
on some hardware.

mb

 


  _____  


From: billingslug-bounces at billingslug.org
[mailto:billingslug-bounces at billingslug.org] On Behalf Of dan
Sent: Wednesday, July 14, 2010 19:51
To: Mailing list for the Billings Linux User Group
Subject: Re: [BillingsLUG] WAN to WAN help question

 

Im guessing you are using the RVS4000 as a VPN bridge also.  I would bet
that device runs CBOS, which is a cut down alternative to IOS and is unable
to NAT netbios.  Netbios is not happy with routing, which means that it wont
work well if the two sites are on different subnets.

 

Your options:

1) Replace the routers with something running a more advanced routing
platform like a cisco with IOS (cisco 8xx, 18xx, 28xx), pfsense or vyatta
with ipsec tunnels.

2)Setup the W2003 server as a WINS server and push the WINS with DHCP.

3)LMHOSTS file on each machine with every other machine.  This is
essentially the hosts file for netbios.  You would need to statically assign
IP addresses to each machine or at least use a sticky DHCP.

 

 

 

On Wed, Jul 14, 2010 at 2:50 PM, Larry Dillon <dillon.larry at gmail.com>
wrote:

Usually, if you're having Windows network browsing problems, the
solution is to set up a WINS server (and configure all of the clients
to know about it, usually through DHCP), but I'm not sure about how
the WAN environment might complicate this.

It would help to know more details about how the two LAN's are
configured.  Do they share a broadcast domain?

Is the WAN a dedicated circuit or a VPN tunnel?

On Wed, Jul 14, 2010 at 10:20 AM, Mike Berry <madeinmontana at bresnan.net>
wrote:
> Hoping this gets to everyone that can help?
> Its been a long time since I have asked the Blgs LUG for any ideas, most
> wont know me or remember, but:
>
> I recently inherited a VERY bad WAN to WAN network, Blgs to Bzmn.
> XP, Vista, and Win7, most home versions, some Pro, with a dedicated
> 2003 standard server.(located in Bzmn).
> Linksys RVS 4000 VPN Routers at each end.
>
> It is possible to connect to the server, install printers from each end,
> Upload/download files, and run quickbooks from Blgs.
>
> Problem is, owner wants to SEE the workstations from both ends of the
> NETWORK in NETWORK "hood" view,
> And be able to print a topology map of the two networks, speed up the
> network access time, and, especially quickbooks.
>
> I don't think the Linksys is the best answer after reading some of the
> reviews and problems.
>
> Does anyone have any suggestions? If so, please call me, as I will not be
> near email today:
>
> Mike Berry
> 855.0584
>
> or email if that's all you can do, I will get it later.
>
> Much thanks to all!
> mb
>
>
> _______________________________________________
> BillingsLUG mailing list
> BillingsLUG at billingslug.org
> http://lists.billingslug.org/mailman/listinfo/billingslug
> http://www.billingslug.org group information
>
_______________________________________________
BillingsLUG mailing list
BillingsLUG at billingslug.org
http://lists.billingslug.org/mailman/listinfo/billingslug
http://www.billingslug.org group information

 


_______________________________________________
BillingsLUG mailing list
BillingsLUG at billingslug.org
http://lists.billingslug.org/mailman/listinfo/billingslug
http://www.billingslug.org group information

 


_______________________________________________
BillingsLUG mailing list
BillingsLUG at billingslug.org
http://lists.billingslug.org/mailman/listinfo/billingslug
http://www.billingslug.org group information

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.billingslug.org/pipermail/billingslug/attachments/20100719/4e8484e5/attachment.html

More information about the BillingsLUG mailing list