[Samba] Samba and VPN Road Warrior setup

Matt Dainty matt at xrefer.com
Tue Jan 14 12:01:01 GMT 2003 

Hi,

I have setup a Linux + FreeS/WAN VPN firewall/gateway to provide
Out-of-Office access. I have used DHCP to provide a small subnet block of
Internal IPs for use by the external VPN Road Warriors, (All running
XP with SSH Sentinel), on their Virtual network interfaces, and the VPN
gateway performs ARP proxy on the internal interface so packets go to the
right place. No NAT is performed on this traffic.

Perhaps some ASCII art also helps, (any excuse):

+--------+
|        | 192.168.0.192 (Virtual)
| VPN #1 |
| client |===+
|        |   |
+--------+   -          +--------+ ARP Proxy
                        |        |
   ....    Internet |===| VPN GW |---| Office network  192.168.0.0/24
                        |        |
+--------+   -          +--------+
|        |   |
| VPN #n |===+
| client |
|        | 192.168.0.223 (Virtual)
+--------+

This works great so far in that most network traffic, (access to
intranet web servers, etc.), functions correctly, but one of the main
uses of this VPN is to provide access to the various Samba servers on
the network. Currently however, the WINS/Master browser component on
the network is provided by an NT box, and has it's IP passed by the
DHCP server.

Currently, I cannot get the remote clients to successfully browse the
workgroup, but direct connections to the shares on the Samba servers can
be established and work with no discernable problems, I just cannot
navigate to them. I have checked the iptables firewall rules, and I'm
letting all 137/138/139 traffic through.

I don't have the inclination or desire to debug the NT box, but prior
to this problem, I was thinking about retiring the NT box anyway in
preference of using one of the Samba servers, (I can't think why the NT
box is used solely for this purpose anyway, Samba can easily handle
this role).

I'm thinking regardless of software, that part of the problem is that
UDP broadcast traffic cannot reach the Office network from the VPN
clients, and vice versa, by virtue of the topology, so browse lists
can't be propagated correctly.

Would putting something along the lines of:

remote announce = 192.168.0.192 192.168.0.193 ... 192.168.0.223

into the WINS/Browse Master Samba machines smb.conf solve this problem?

Or if anyone has any useful advice for getting Samba working over this
kind of network topology, I would be very grateful.

TIA

Matt
-- 
"Doctor Fact is knocking at the door. Someone -- please -- let the man in!"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20030114/a6ddd70c/attachment.bin

More information about the samba mailing list