Site to site SMB discovery and sharing [closed]



  • Hi, I'm a fairly competent Linux user, but far from a network expert.

    I need to set up a bridge between two locations to share Windows resources. Clients need to be able to browse to each other and connect using \COMPUTERNAME

    OpenVPN seems to be an obvious option, but I have only been able to get to the point where I can get the machines to talk to each other using \IPADDRESS

    My test setup is using two pfSense boxes, each with two NICs, and using a Peer to Peer (shared key) connection. Is this a viable setup, or should I start over using PKI, or something else?



  • I got far enough to make it work for my particular situation. Somewhat of a dirty hack, but since the machines that need to be reachable have static IP addresses, I just added them to the HOSTS file on the clients.

    As far as getting full fledged samba browsing and sharing, I realize that there is a lot more involved. The keywords to search for seem to be NetBIOS and WINS. To answer my own question about my current setup being a viable starting point, looks like the answer is "maybe not". According to this: https://doc.pfsense.org/index.php/Why_won't_OpenVPN_push_routes, there is a difference in how "shared key" and PKI works.

    Edit: This post was really just intended to inform that I had gotten this particular problem solved. I still have more steps to go before done, but will post different threads if I have any more questions.


  • LAYER 8 Global Moderator

    Why does it have to be \COMPUTERNAME

    That is not a good way to do it, even when computers on on the same network you should always use \FQDN

    So for example if your computer is called host vs doing \host you should do \host.domain.tld

    This will use your dns to get the IP.  You just need to make sure that the clients are using DNS that can resolve your computers fqdn that your using.

    Where did you come up with the idea that these sites need to be bridged?  Do they use the same IP space on both sides?



  • The proprietary, un-configurable, software in question uses \COMPUTERNAME

    There is no local domain controller. Windows shows "Full computer name" as a single, non-dotted word.

    The idea of a bridge appeared as it seemed to be the easiest solution, with same IP space on both sides.


  • LAYER 8 Global Moderator

    Well that is borked software.. From what the early 90's or something?

    You could create host files as suggested on the machines in question or you could setup wins..  Or yeah you could put both these networks on the same layer 2 with bridge so they can broadcast for names.. That would for sure be the LAST possible choice!!

    Just because you have not given a domain name to your computers does not mean you can not do that, even if you don't have one.  So these windows machines are not in AD??  You say their is no local DC..  But is there one remote that they are a member of?

    You do not need to be member of AD domain to setup fqdn for your machines and point them to a dns that would resolve hosts in that domain.  Once you place the machine in a domain.. Its quite possible it would do a fqdn query for the name, etc.

    Depends on this borked software in question - what is the name of this software, maybe there are docs on the internet can look at, etc.

    While sure it is technically possible to put your sites on an extended broadcast domain so that clients could broadcast for names.. Not a good idea!!!



  • Heh, I also have a few disagreements about how the software is done. However, it is sold as a pre-configured package, using its own wifi router that remains separate from our business network. The peer-to-peer network only has two servers and three clients, all supported remotely by the parent company under a support agreement, and we are not supposed to "mess with it". I do have access to the mobile laptop clients and can make minor tweaks to their configuration. I can also add a computer to the network.

    The system is pretty cutting edge, servers control a material mill, shaping items from 3D scans created on the clients.

    To be fair to the manufacturer, I am trying to extend the usability of the system beyond what they had envisioned. I have spoken to the company and explained what I want to do. They have no objections, but have never had anyone else do it, and offered no help in setting it up. So I'm hacking away at it, learning a few things along the way. :)



  • Hacking away….:)

    If you have a machine that can do WINS server....
    Or, Samba can do that too, it has a WINS server built-in, look Samba man.
    Then, push "dhcp-option WINS x.x.x.x" in OpenVPN server.


  • LAYER 8 Global Moderator

    "using its own wifi router that remains separate from our business network."

    So if its on a different layer 2 then your other networks, devices on this isolated network would never be able to "broadcast" for names..  If your just trying to hit some server that is on this isolated network.  Just create a dns record that points to this IP.

    How would you bridge this network into your if its behind its own router??  Do you have control over this router?  Is it doing nat?  Would really need more details to try and help you skin this breed of cat.



  • I really appreciate the replies, guys. This project is something I get to in between other duties so it's taking me some extra time.

    To clarify, I no longer consider broadcast/discovery necessary for this particular setup. Using the HOSTS file will suffice for such a narrow case. Should probably change the title of the original post. Before I do that, allow me to answer your questions though.

    I do not have access to the the router of the small network in question, so next step is to try the pfsense server on its NAT'd LAN side.

    I have multiple static IPs available, and PfSense WAN will go on one of those. Access will be through this static IP.

    Any thoughts on this scheme are appreciated, even if it is to instruct me to open a different thread.



  • Let me try to illustrate..



  • LAYER 8 Netgate

    Why are you calling the wifi router a router when (apparently) the same subnet is on both sides?



  • In these kinds of setups I usually forego using the WAN side of the wifi router. Disable dhcp and set an IP address which is out of the way. Plug in a cable to LAN side and just let the traffic flow between the ethernet port and the wireless antennas.

    Hey, I like the diagram in your sig. It would be nice if it was in an editable format, like .odg.


  • LAYER 8 Netgate

    In that case it is not a router it is an AP or a bridge. Calling it a router just confuses people.



  • Okay, I understand.



  • Closing comment: My initial testing was done using Windows 7 clients. However, the laptop clients in use are actually Windows 10. When I tested the W10 clients, everything worked out of the box - browsing and sharing, as if they were on the same physical network.

    So yes, a Peer to Peer (shared key) connection is a viable setup for me.


Log in to reply