Windows Shares over subnets



  • I am attepmpting to configure pfS to pass windows network shares from one subnet to the other. I have pfS up and successfully running with 1 WAN and 2 LAN networks. LAN is setup to talk to the outside world, and LANi(OPT1) is set to allow only local traffic and is blocked from outside. The LAN side has a wireless acting as an AP. The LAN interfaces have DHCP running.

    LAN 192.168.20.0/24 DHCP 20.100-110
    LANi 192.168.30.0/24 DHCP 30.100-110

    I have two Aliases assigned LAN2LANi, and LANi2LAN each with pointing to a static host on their respective networks servers.

    Hosts:
    LAN2LANi - …20.20 (Laptop running Vista)
    LANi2LAN - ...30.30 (FreeNAS)

    I was able to configured the firewall rules to allow traffic from LAN to LANi (and vice versa) and the laptop was able to see the NAS but it can't seem to pass the windows workgroup and share info.

    Rules:
    LAN - *  LAN2LANi  *  LANi2LAN  *  * 
    LANi - *  LANi2LAN  *  LAN2LAN  *  *

    I was thinking there might be a solution with VIPs but so far no luck. I was hoping not to have to install another NIC into FreeNAS in set it to the LAN side but that would defeat the whole purpose of splitting the subnets. I'm not sure if anyone is firmillar with freeNAS

    Help would be great

    cheers



  • Windows shares are based on broadcasts.
    No router will propagate broadcasts.
    If you want something like that to run you need either a WINS server, or some kind of broadcast proxy on the pfSense.



  • @GruensFroeschli:

    Windows shares are based on broadcasts.
    No router will propagate broadcasts.
    If you want something like that to run you need either a WINS server, or some kind of broadcast proxy on the pfSense.

    Not quite correct. WINS name resolution uses broadcasts, but shares/SMB traffic work on unicast. DNS is also used in name resolution, so if you have names registered, you should be OK.

    You need to figure out if this is a name resolution problem or a routing / firewalling / subnetting problem. From the firewall rules, it looks like all protocols are permitted between the two segments. I'd take these troubleshooting steps:

    • From windows, ping the NAS box by IP address. If that fails, you've got a routing issue.

    • From windows, ping the NAS box by name. If you're using a one-word host name and that fails, then it's because of not having WINS in your environment or not having the host registered with DNS. You can get around this by either registering that name in your DNS server or adding an entry into \windows\system32\drivers\etc\hosts

    • If all else fails, you should be able to get to the NAS box with the IP address in the share name, ie, \192.168.30.30\share



  • Did you read the original post?  He said the laptop can see the NAS, just not do windows shares operations.  Also, gruen didn't say anything about WINS not using broadcasts, just that to do multiple subnets you need something like WINS.



  • First. What do you mean by "see" when you say "..the laptop was able to see the NAS …"?

    Please describe what you did.

    Windows shares are ordinary tcp connections and if you permit the traffic you can use them.

    The absolute easiest way to test it is to address the share using the ip of the server and the share name.

    GruensFroeschli already gave an example. Under windows open a command prompt (START->Run->CMD.EXE) and
    type in

    DIR \<ip of="" file="" server="">\ <sharename>example to see all files in the share data on server 172.10.21.20 is: DIR \172.10.21.20\data

    (presumable the user account on the host has rights to access the share)

    Now there is someting additional that comes into play when dealing with windows shares…..

    People tend to "browse" the network for shares. They start explorer, go to network, the workgroup, ... an so on.

    On a network w/o WINS the feature "browsing the network" (for shares and printers) is created by means of broadcasts. Basically every machine shouting around who he is and what he has. (In the early days an easy way to save people form actively managing the network!)

    Have a look at:
    http://support.microsoft.com/kb/298804 and
    http://support.microsoft.com/kb/188001

    They will give a little feedback about that.

    Because on a minimal base browsing the network does only work for hosts in the same subnet (because the broadcast packets which maintain the share infos do not cross router borders) you have to add additional services when dealing with multiple subnets and offering browser lists to the people.

    In this case you have to supply a WINS server for the people (can add the ip address one on the DHCP server configuration page of the pfSense.)
    And you must run a machine which runs the Microsoft WINS service - of course.

    If you have this you can offer "browsing the network for shares" for all people in all subnets.

    Cheers</sharename></ip>



  • @AndiSHFR:

    First. What do you mean by "see" when you say "..the laptop was able to see the NAS …"?

    Please describe what you did.

    By 'see' i ment that they are able to communicate with each other. The router is passing the traffic from one subnet to the other thus pinging the IP address of either the Laptop or NAS in both directions is successful and the laptop can access the NAS shares without issues.

    @LedPighp:

    You need to figure out if this is a name resolution problem or a routing / firewalling / subnetting problem. From the firewall rules, it looks like all protocols are permitted between the two segments. I'd take these troubleshooting steps:

    • From windows, ping the NAS box by IP address. If that fails, you've got a routing issue.

    • From windows, ping the NAS box by name. If you're using a one-word host name and that fails, then it's because of not having WINS in your environment or not having the host registered with DNS. You can get around this by either registering that name in your DNS server or adding an entry into \windows\system32\drivers\etc\hosts

    • If all else fails, you should be able to get to the NAS box with the IP address in the share name, ie, \192.168.30.30\share

    From my orginal tesing i know I can ping either end point via their IP address, but times out on name resolution.
    I'm not to familiar with the setup of the DNS. I know i have the DNS Forwarder enabled. Would i just have to enable 'Register DHCP  static mappings in DNS forwarder' or am i missinderstanding something?

    @GruensFroeschli:

    Windows shares are based on broadcasts.
    No router will propagate broadcasts.
    If you want something like that to run you need either a WINS server, or some kind of broadcast proxy on the pfSense.

    broadcast proxy ?  ??? no idea how to go about that. and there wouldn't happen to be a package for WINS? (fingers crossed)

    BTW thanks for all your help and input


  • Rebel Alliance Developer Netgate

    No package for WINS yet, though I have experimented with one in a test environment. Basically I installed samba and only configured it for WINS, no shares. There is also a package called Samba4WINS that might be useful.

    I've been trying also to find a way to use netcat or socat to proxy NetBIOS broadcasts, though my interest is more in using them to cross IPsec and OpenVPN tunnels than cross-subnet browsing. (A similar problem, but different in that a proxy agent would have to be running on both ends and pass information back and forth, not just re-broadcasting info between interfaces.)

    So far I haven't had any luck, but I haven't had a lot of time to dedicate to the task.



  • Conclusions:

    Through my testing and experimentation I found that by setting the 'DNS Forwarder' to 'Register DHCP leases/static mappings in DNS forwarder' and entering the 'NetBIOS Name' when adding a static DHCP Address to the 'DHCP server' the systems can be accessed via their NetBIOS name, ‘*\sharehost*’, then that will give you access to their share dir view, and browse the systems’ shared folders accross the subnets in both directions without issue.

    I was unable, at this point, to find a configuration that allowed one system to “scan” from one subnet to another for CIFS shares despite firewall rules allowing traffic and being in the same Workgroup.

    I will investigate Samba4WINS and see what else I can come up with.

    Thanks all for your input and help.
    Cheers


Locked