NetBIOS over IPSEC

cheech

I know NetBIOS sucks and WINS/AD should be used instead but I have a legacy app that relies on this that I would like to continue to use and I don't wan to add Samba servers. Many routers have a NetBIOS over IPSEC option that works. Before I post a bounty for this feature I do have a question. I am using all WinXP systems and by default NetBIOS runs over TCP. To newbie me this would suggest that it SHOULD run over IPSEC since it is TCP but maybe since it is broadcast traffic that is the problem? I am trying to get cross subnet _BROWSE working. Thanks for any comments!

cheech

I did try with WINS. There are tunnels to 2 remote sites. 1 site now "works" with the legacy application but the other site still doesn't. I did some packet traces to see what is happening. The application sends a UDP brodcast/255.255.255.255 on port 3500. Then any PC's running the app hear this and reply back and then are registered with the app. On the side that is not working, there are no replies back.

Would you EXPECT that the tunnels should carry such broadcasts or no?

Thanks!

hoba

No, these kind of broadcasts are not leaving the local subnet. The application is not designed for multisubnet situations.

cheech

OK so can you think of any reason it is working over one tunnel then? I realize that this is not really a pfsense issue rather general networking/windows related but I appreciate your thoughts anyway thanks.

Main site: 192.168.1.0 /24  TUNNEL  Remote 1: 192.168.4.0 /24:
()&#(*@&!

Main site: 192.168.1.0 /24  TUNNEL  Remote 2: 192.168.5.0 /24:

Application starts:                      192.168.5.253 UDP:DPT:3500 > 255.255.255.255

PC's on other subnet reply:        192.168.1.56 UDP:DPT:3500 > 192.168.5.253
                                              192.168.1.44 UDP:DPT:3500 > 192.168.5.253
                                              192.168.1.23 UDP:DPT:3500 > 192.168.5.253

hoba

I don't see how the pcs at one end can reply to a broadcast they don't even see. You should try to get some help from the applications vendor how to set it up in a routed/IPSEC scenario.

cheech

No support lol. I am more interested in learning/understanding how this works or doesn't work. I setup another VPN at home and this works on and off. I realize this is nothing to do with pfsense and is a general networking/windows issue. What I come up with is that the application relies on the browser service. If I do a net view and see all the PC's then everything is fine but this is up an down for some reason:

In addition to acting as the local master browser, the primary domain controller also acts as the domain master browser, which ties subnets together and allows browse lists to be shared between master and backup browsers on separate subnets. This is how browsing is extended to function beyond the local subnet. Each subnet functions as a separate browsing entity, and the domain master browser synchronizes the master browsers of each subnet. In a Windows-only network, browsing cannot function across subnets unless a Windows NT/2000 PDC exists on the network.