Routing and windows computer browsing



  • Hi all,

    I'm a happy user of pfSense, using the latest 1.0 beta 1 on WRAP ( 3 interfaces plus atheros based WLAN).
    I'll first explain my current setup:

    WAN (ISP specific ADSL modem)       <-> pfsense (sis0 WAN interface)
    LAN1 (1Gb switch with 3 win PCs)      <-> pfSense (sis1 LAN interface)
    LAN2 (100Mb switch with 2 win PCs)  <-> pfSense (sis2 OPT1 interface)
    WLAN                                             <-> pfSense (ath0 OPT2 interface)

    Currently, all interfaces have different subnets (192.168.1.0/24, 192.168.2.0/ 24, …)
    This all runs fine with a few firewall rules, however, one important thing I need is blocked: NETBIOS broadcasts cannot get past the subnet boundaries, so computers on WLAN and LAN2 cannot 'see' computers on LAN1.

    My question is: how can this be circumvented, either by trying to route the NETBIOS broadcasts, or by changing my (logical) LAN and WLAN setup.

    The goal is to have maximum security on LAN1, and allowing easy traffic shaping with different queues on LAN1 and LAN2. (LAN1 is parents, LAN2 the kids, you get the feeling?) So any other configuration that suits my needs will do. The problem is that i'm no network wizard, so combining a single subnet on different interfaces with DHCP, while keeping the traffic shaping enabled on the physical  interfaces is somewhat hard to setup from scratch for me. I only found out about the NETBIOS blocking after this setup was configured.

    Any advice would be very welcome.

    Thanks in advance,
    Marc



  • @gommer:

    This all runs fine with a few firewall rules, however, one important thing I need is blocked: NETBIOS broadcasts cannot get past the subnet boundaries, so computers on WLAN and LAN2 cannot 'see' computers on LAN1.

    My question is: how can this be circumvented, either by trying to route the NETBIOS broadcasts, or by changing my (logical) LAN and WLAN setup.

    that's the definition of a broadcast.  they don't cross IP subnets.

    actually fixing this is difficult at best - Windows browse lists can be difficult to keep working properly with a single subnet much less multiple ones.  And browsing across multiple subnets in a Windows-only network cannot function without a server.

    Your reasonable options are:

    1. Bridge the interfaces so they're all on the same subnet.  You can still use filtering, but traffic shaping might be an issue (I don't know though, maybe somebody else can answer this part)
    2. ignore the browse problems
    3. attempt to fix the issue (good luck, expect to lose a lot of hair and/or gain a lot of gray hair on this one…)

    references:
    "In a Windows-only network, browsing cannot function across subnets unless a Windows NT/2000 PDC exists on the network."
    http://www.onlamp.com/pub/a/onlamp/excerpt/samba_chap7/index2.html
    http://www.cisco.com/warp/public/473/winnt_dg.htm
    http://www.comptechdoc.org/os/windows/ntwsguide/ntwsnfinding.html
    http://my.brandeis.edu/bboard/q-and-a-fetch-msg?msg_id=0003Yw
    http://www.google.com/search?q=windows+network+browsing+across+subnets



  • @cmb:

    Your reasonable options are: …

    Oh well, I've  already spend nearly a weekend on solving the issue on windows' side. I'll be giving up soon. Ignoring the browse problem is not an option, however. It is for me, but not for the wife and kids  ;).

    So, I'll be focussing on pfSense-side solutions. VLAN, bridging, how's that going to co-exist with traffic shaping?



  • @gommer:

    Ignoring the browse problem is not an option, however. It is for me, but not for the wife and kids  ;).

    Might be more of one than you think.  Sounds like you don't have many machines and they don't change often.  You could just put a folder out on the desktop of each machine called "network computers" or something, and put a shortcut in that folder to each computer.  that's a really easy and quick solution.



  • the can type the pc bij hand in the network neaberhood
    \192.168.1.1
    \192.168.2.1
    \192.168.3.1

    enz enz
    just a ipadress with \ infrond of it will get you in the shared folders of that pc



  • Thanks for all suggestions guys.
    I solved it. Off course, I know about the possibilities of typing the IP address, but that's not an option for wife and kids.
    Anyway, I solved it by editing the hosts file on each machine. It still wouldn't work untill I disabled the damned WinXP firewall on each machine. I wonder why M$ call windows user-friendly, aargh.
    I feel great, outwhitting M$ for a change  ;D


Locked