Browsing / nmbd issue with subnetting for VPN

[Ron Alexander]

I gave a QUICK read to this, so apologies if I am way off base. Since I have
a multi cable modem and VPN I might have some insight.

1. I have one server (not *nix) 1 country away and 2 concurrent cable modem
connections at home.

2. I have connectivity between the 2 pc's (1 NT and 1 Linux) with full
security using Zonealarm and Mandrake 7.1 firewall managed by GCC and made
simple by LinNeighborhood(sp). Only the NT can get to the server since that
is the only IP I have registered with the VPN.

3. I cannot get smbclient on the server to connect to my home pc. We think
the vpn is blocking it somehow.

4. I tried to set up a Linux firewall with 3 PC's behind it at home.
Everything eventually (firewalls are very tricky) worked well, but I could
not connect to the remote server. The reason for that has to do with the way
that vpn's work. Basically, the source address is put inside the encrypted
data, but when I go through the firewall with MASQ, the source address is
now different. The destination vpn software detects that and quite rightly
rejects it. I don't know if all vpn's are like that, but I wouldn't be
surprised. You might get something to work with proxies, I can't since some
of my stuff has no proxy available.

5. Some cable modem ISP's block some or all of the NetBIOS ports (137, 138,
139) due to the security concerns. Make sure you visit http://grc.com (test
your shields and ports) and www.zonealarm.com (great firewall)

Good luck, and keep us informed of your progress.

-----Original Message-----
From: samba-technical-admin at samba.org
[mailto:samba-technical-admin at samba.org]On Behalf Of Benjamin Carter
Sent: July 28, 2000 3:02 PM
To: samba-technical at samba.org
Subject: Browsing / nmbd issue with subnetting for VPN


[Apologies in advance if this is more appropriate for the samba list,
as this is technically a "I am having a problem with XXXX" message, but
I wanted the samba team to take a look at this.]

Background:

I have a bunch of friends from college that are getting broadband
connections as they become more readily available; I have recently
gotten cable modem service myself.  What we would like to be able to do
is to set up a VPN that everyone can connect to, and see everyone
currently connected, browse their shares and hopefully play LAN-style
games across the connection as well.

Since none of my other friends have done anything about it, other than
say "This would be neat if we had it set up and it worked", I have taken
the initiative and spent some time figuring out how to get this working.
Most of the VPN clients will be Win 95/98, NT, or 2000 machines.  The
VPN client for these systems sets up a point-to-point link with the
target, so for VPN client A to talk to VPN client B, it has to go
through the server; it cannot set up a tunneled connection directly
between peers.

So, I want to place the VPN server on a high-bandwidth connection,
possibly co-location, or perhaps putting it in the room of a friend who
is still at the university and has a high-speed connection in their dorm
room.  But before I go about doing any of this, particularly if it
involves spending money [as in co-location] I want to be reasonably sure
that I can have it working beforehand.

To that end, I have set up a VPN server process on my current Linux
machine functioning as my gateway to the Internet, which masquerades 2
or 3 machines behind it [I have multiple IP addresses, so I can move one
machine to the "real" side of the gateway, thus isolating it on a
separate network segment; then if I see the other machine in the browse
list for the workgroup, I can assume everything is working correctly.]

My situation:

I have assigned all the PPP links from client computers IP addresses in
the range 192.168.2.*; the server side of each of these links is
configured as 192.168.2.254.  I want samba to act as a domain master
browser, and have it also act as a WINS server so that name registration
works.  I configure the PPP link to push the IP address 192.168.2.254 as
the WINS server to the clients when they connect.

I am currently using samba-2.0.5a precompiled binaries that are part of
the slackware-7.0 distribution, which is what the machine is running.

Debugging browsing problems is difficult to say the least; with the
propagation delays, and the local netbios caches, I have to wait quite
some time before I know if my configuration changes even had any effect.

However, I do know that browsing is my only problem; if I specify
\\computer-name in any of the connected clients, they can find that
machine.  Pings to the other servers work [the machine is configured to
forward packets between hosts on the vpn subnet], they register their
names with the WINS server, and all is well on that front.

But the problem I have is that I cannot figure out how to get nmbd to
consistently register itself as the DMB for this subnet without getting
into fights over browse mastering.  If I set 'bind interfaces only =
true', nmbd _still_ binds to IPADDR_ANY:netbios-ns, and I see in the
logs '192.168.112.180 thinks it is a master browser for workgroup
MY_WORGROUP, forcing election' [in this case 192.168.112.* is the subnet
I masquerade from and .180 is one of the hosts I am connecting to the
VPN with.]

I also have problems with the interfaces line; nmbd seems to disbelieve
my subnet settings.  If I set interfaces=192.168.2.254/32, it tells me
'bcast addr = 255.255.255.255, netmask=0.0.0.0' - this is obviously
incorrect.  If I set interfaces=192.168.2.254/24, it tries to do a
broadcast for that subnet [which obviously cannot work - all the hosts
for that subnet are over point-to-point links and therefore unicast
only.]

If I set it to 192.168.2.254/31, it still fights with the clients at
192.168.2.1 over who is browse master for their subnet.

One other thing - I only want to run the WINS server, and collect browse
lists with this process, I am not interested in serving any files.  Is
there some way to convince nmbd not to register "netbios-name<20>", or
is simply not starting smbd sufficient to achieve this?

I will be downloading 2.0.7 as soon as I regain net-connectivity with
this box [flaky cable modem providers... grr] in the hopes that it will
alleviate some of my problems, but the announcements for the newer
versions do not have anything listed that looks particularly hopeful.
It looks to me as though I may have to go through the nmbd source to
achieve what I want, which is rather daunting to me as I am completely
unfamiliar with it.

One other note: when I configured 'dummy' to 192.168.200.254/24, and
told nmbd that was its subnet, things _almost_ worked... while the
workgroup<1b> name was still registered to 192.168.2.254.  The VPN
clients only get a route to 192.168.2.0/24, so they can't find the
domain master at 192.168.200.254.  (It appears I _have_ to put the nmbd
on 192.168.2.0 subnet, as I can't control the routes the VPN clients
get.)

I would post relevant logs, but as I stated earlier, the machine in
question is offline.  Any comments / help / anything would be
appreciated.

--
-Ben Carter
Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so. - Douglas Adams, "Last Chance to See"