DNS , NetBIOS , CIFS and PPTP

arduino

Hey everyone ,

I would like to first state I understand PPTP is not secure and should not be used is almost all cases. Without going into details it should be known that security is not an issue at all. If everything on this network was completely open to the public It would not be important . Also the network I connect from is the same way.

I need some help. How would I go about resolving hostnames over PPTP using pfSense. I have read around the forums but I am finding it difficult to get a direct answer. Some people say that you need a WINS server so I setup a Ubuntu WINS ; no change.

The clients are all Windows 7. I am unsure if Windows 7 has LMhost files or if that is only windows XP , regardless this is not a solution for me.

I can ping machines on the local network over PPTP but I cannot resolve host names .

Sorry if this has been covered already and I missed it , any help is much appreciated .

Thanks

johnpoz

So you setup wins – did you point all your machines to it, so they register their names? Are you running dns, do you have all the host names n there? In your vpn setup are you handing to your vpn clients this info, be it wins or dns?

why can you not use openvpn? It has better support for netbios over tcp to vpn clients if you ask me. I vpn into my home from work and have no issues resolving host names at my home location via dns

As to this
"If everything on this network was completely open to the public It would not be important " BS -- since if it was it would be a complete and utter mess, you would be hosting warez, sending out spam, all your bandwidth would be tied up for other purposes, ddos in a botnet, etc etc..

I love it when people mention nonsense like that - they clearly have not thought it through ;)

arduino

Well I could have elaborated a bit….

I don't care because I will be using this for something that only needs to be running for one day. I know everyone here jumps to say " PPTP is worthless , never use it" . Maybe my disclaimer was a little bit ambiguous.

Thanks for your help but I cannot use openVPN . It is a requirement.

Is there anything else I could try? I don't seem to have any options and wish I could just use openVPN.

johnpoz

Here is the thing dns or wins work over pptp - so either you don't have them setup, or your firewall rules for your vpn connection are blocking them. Its that simple.

Look on your vpn client. Does it get the settings? Keep in mind these settings are if endpoint is actual client - those settings are not going to do anything if its site to site and clients on remote site do point to your wins or dns on the other side. You would have to configure the clients to use your dns or wins.

arduino

Thanks for the reply,

My setup right now is that I have a Ubuntu 12.04 machine running as a WINS server. It has all the local machines registered and I can see them in the /var/log/samba as this:

log.192.168.10.33 log.john log.jack
log.192.168.10.22 log.jim-pc log.smbd
log.192.168.10.31 log.nmbd log.workstation

On the pfSense side I have enabled the PPTP VPN server and set the Ubuntu 12.04 WINS server as the WINS server to be used.

Now when I connect via PPTP do I have change any configuration on the client side for this to work or does pfSense handle this ..given I have connections using the WINS server.

Thanks for taking the time to reply ,

johnpoz

So is a client like a desktop connecting, or some other router like pfsense connecting as a client.

You mention all windows 7 machines - so are they directly connecting to the pptp server (pfsense) or something in front of them connecting. If you do an ipconfig /all on the windows 7 machines - do they show your ubuntu wins server as their wins server for the pptp connection? Do you allow wins ports on your firewall for the openvpn clients? Does the firewall on ubuntu allow queries from remote networks?

arduino

Yes they are desktops connecting . They are all Windows 7 and when I use the command ipconfig /all the WINS does show up . I did add the WINS to each Windows computer manually. I will look at the remote queries . Do i need to port forward WINS over the lan? Is this traffic not travelling over the PPTP connection?

arduino

Also , as far as the wins server is concerned I am on the local network .. correct? Do I need to tell it to respond to remote IP's?

johnpoz

What node is the windows clients in.. if say in b-node I don't believe they would use a wins server if one was set.

But yes I would check the wins server to see if its firewall wall would block wins queries from remote networks.

I would prob sniff on your lan interface of pfsense and make sure your seeing the queries being sent to the wins server.. If you not seeing them and or answer then troubleshoot from there. What are your firewall rules on your pfsense vpn interface?

nodetype.png_thumb

arduino

Ok so I checked the Windows machines and I cannot seem to find the broadcast node label.

This is all testing for something that I plan to implement in a secure environment so maybe I should explain my requirements needed in the end.

I work for a company that uses special software to conduct research . The company employs people from locations across North America. The employees use VNC to connect to 1 of 10 desktop computers running this software and it has been working this way for 2 years.

Obviously this is sub-optimal and has no scaleability. We have since upgraded and now use a completely different network.

I am running a VM server (Proxmox) which has 40 Windows machines . This has not been put into production yet but I plan to have it up within the next week. These machines change often , we are constantly installing new copies of software on new machines and as such we require a better way to manage the systems available.

My choice was this:

I would have everyone working for the company connect using L2TP/IPSEC or PPTP. I don't like PPTP because it is insecure but is built into Windows. I am not opposed to using OpenVPN , it just means I would have to help everyone to install it.

If everyone connected to the network using VPN , it would remove the need to port forward 40-50 machines . Also , as I said , these machines are changing often so this would be difficult to manage.

What I want to do is have people connect using a VPN and once connected have a list of computers on their network to choose from . In Windows you have the option to "Connect Using Remote Desktop" when right mouse clicking on a network computer …. this is perfect.

Is there a way to set this up using open VPN. I was able to set it up using L2TP/IPSEC using Zentyal but had some minor issues and also would much rather use pfSense.

Please let me know if you have any ideas on possibly a better setup or how to setup openvpn to resolve hostnames in Windows WITHOUT the need to change settings on the client side.

johnpoz

And what node are you in - H or M, you don't want to be in broadcast.

Post up a ipconfig /all – what about just plain dns to resolve names?

arduino

This is the L2TP/IPSEC connection. I presume it is nearly identical in setup as PPTP.

Windows IP Configuration

Host Name . . . . . . . . . . . . : JAKETEST-PC
Primary Dns Suffix . . . . . . . : zentyal-domain.lan
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : zentyal-domain.lan

PPP adapter VPN Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VPN Connection
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.10.55(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 192.168.10.1
Primary WINS Server . . . . . . . : 192.168.10.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) WiFi Link 5100 AGN
Physical Address. . . . . . . . . : 00-24-D6-07-FA-9A
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a1c6:9f6:57e5:265d%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.12(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, December 21, 2013 6:47:37 PM
Lease Expires . . . . . . . . . . : Wednesday, December 25, 2013 8:08:45 AM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 184558806
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-26-28-49-00-25-64-5B-*****

DNS Servers . . . . . . . . . . . : 192.168.2.1
192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Keep in mind this is from Zentyal. I do not want to use Zentyal , it is not nearly as good for me as pfsense. Please advise what I can do from here.

Thanks again for all your help!

arduino

Also when I am doing this with pfsense using OpenVPN , I select p-node on the config from pfsense.

Right now I have 3 machines with firewall distros on them ..swapping in and out doing testing..if you need me to setup pfsense I will.

Is my broadcast network 255.255.255.255 supposed to be /24?

Also , I am an idiot. I now see my node type is hybrid … How do I change this?

When I used NET VIEW /MACHINEID it resolves.

johnpoz

That is fine, hybrd check if wins sever listed if not or no answer then it broadcast.. That is works for you.

So again I am going to ask you.. Can the client ping the 192.168.10.1 box that is your wins and your dns.. Can he query it.. do a simple nslookup or dig to it.. For wins here is cmd line tool to verify queries work

http://support.microsoft.com/Default.aspx?kbid=830578

arduino

The link you posted does not work.

I looked up the WINS commands and they dont seem to work in Windows 7. I typed the following:

1.)netsh>
2.)wins

this gave me:

3.)netsh winsock>

The syntax for this is : server \ServerName or server \ServerIP

I tried both and they did not work for me.

nslookup did resolve every computer on the network….

I have no idea what the issue is ... There are 10 computers and I used nslookup on all of them and they come back with : COMPUTERNAME.zentyal-domain.lan . That much is working.

I also cannot ping the machines , only the server at 192.168.10.1 and machines on the end point side cannot resolve the vpn client via nslookup.

johnpoz

they didn't work for you local or remote.. The nblookup tool works just fine on windows 7..

Here is example - I fired up wins on my 2k8r2 vm, set my box to use it as wins - it registered itself.. See in the picture the records under the wins tool.. Then I can query them via cmd line tool nblookup

I don't believe windows 7 has wins features in netsh.. server does

nblookup.png_thumb

netshwins.png_thumb

arduino

Recursion is on

Querying WINS Server: 192.168.10.1
NetBIOS Name: zentyal
Suffix: 20

Name returned: ZENTYAL
Record type: Unique
IP Address: 192.168.10.1

Record type: Unique
IP Address: 192.168.5.1

Record type: Unique
IP Address: 142.176.59.204

Record type: Unique
IP Address: 10.0.5.1

I cant nblookup any computers by name other than my wins server from my remote computer.

nslookup on the remote side works but cannot find that computer on the local network using the same commands from local machines.

mikeisfly

Windows 7 machines block pings from computers not on the same subnet as them, try to disable your firewall to see if this is the cause. Also make sure that your firewall is set to home or work. If you have a machine that you can put Windows Server 2003 and up on, you can setup dns and then have the dns server look to WINs for host name resolving. Not sure about the various linux flavors if this is possible.

arduino

disable my firewall on the Windows machines or disable my physical firewall?

arduino

I am not having any issues pinging , just netbios . I joined all computers to work network and disabled the firewall. No change.