Shorewall users - Aug 2003 - Shorewall with MS Windows PDC

Hi,

I have a network with 4 NIC, one external, DMZ, and two internal, B & C.

It has been setup correctlly and working now.

The problem I have now, is any client workstation running on network B,
MSWindows 2K / XP / NT cannot connect to the primary domain controller which is
in network C. The clients cannot even see the network domain in the explorere
window.

I believe the problem is related to NetBios, which is not routable, but I am not
sure how to fix this issue which is a serious one, as no one can connect from
the client to the main server.

Any help is appreciated.

Regards,


This message was sent through MyMail http://www.mymail.com.au

On Mon, 18 Aug 2003 4:17:31 +1000, <deya@ozemail.com.au> wrote:
> Hi,
>
> I have a network with 4 NIC, one external, DMZ, and two internal, B &
C.
>
> It has been setup correctlly and working now.
>
> The problem I have now, is any client workstation running on network B, 
> MSWindows 2K / XP / NT cannot connect to the primary domain controller 
> which is in network C. The clients cannot even see the network domain in 
> the explorere window.
>
> I believe the problem is related to NetBios, which is not routable, but I 
> am not sure how to fix this issue which is a serious one, as no one can 
> connect from the client to the main server.
>
> Any help is appreciated.
This question really has nothing to do with Shorewall. Any time you place 
any kind of router in the middle of a flock of Windoze systems, you have 
the problem that you describe. You must add a WINS server to your network 
then configure the Windoze systems to use that server. I personally run 
Samba on my Shorewall box to solve this problem (see 
http://shorewall.net/myfiles.htm).

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

deya@ozemail.com.au wrote:
> Hi,
> 
> I have a network with 4 NIC, one external, DMZ, and two
> internal, B & C.
> 
> It has been setup correctlly and working now.
> 
> The problem I have now, is any client workstation running on
> network B, MSWindows 2K / XP / NT cannot connect to the
> primary domain controller which is in network C. The clients
> cannot even see the network domain in the explorere window.
Add shorewall rules (or policy) to allow ports 445, 137-139 from network b
to network c. This will allow the MS window clients to register with your
PDC. BTW: I also had to add a DNS alias for my MS domain name so that the
systems in my dmz could obtain the ip address of the PDC.
> 
> I believe the problem is related to NetBios, which is not
> routable,
Netbios "is" a routable protocol.
> but I am not sure how to fix this issue which is a serious one,
> as no one can connect from the client to the main server.
It''s a serious problem because you probably do not understand MS
networking.
Especially at the Enterprise level (thats Microsoft''s terminology, not
mine). The problem you describe is well documented by both Microsoft and the
shorewall documents.

Steve Cowles

Tom Eastep wrote:
> 
> This question really has nothing to do with Shorewall. Any time you
> place any kind of router in the middle of a flock of Windoze systems,
> you have the problem that you describe. You must add a WINS server to
> your network then configure the Windoze systems to use that server. I
> personally run Samba on my Shorewall box to solve this problem (see
> http://shorewall.net/myfiles.htm).
Just my two cents... but if you do install a samba server to act as a WINS
server, be sure to configure Samba to NOT win the domain master browser
election. Your PDC needs to win that election. Winning the local master
browser (LMB) election is all that I allow samba to win in my configuration
between network segments.

Steve Cowles

----- Original Message ----- 
From: "Cowles, Steve" <steve@stevecowles.com>
To: <shorewall-users@lists.shorewall.net>
Sent: Sunday, August 17, 2003 11:58 AM
Subject: RE: [Shorewall-users] Shorewall with MS Windows PDC

> Tom Eastep wrote:
> >
> > This question really has nothing to do with Shorewall. Any time you
> > place any kind of router in the middle of a flock of Windoze systems,
> > you have the problem that you describe. You must add a WINS server to
> > your network then configure the Windoze systems to use that server. I
> > personally run Samba on my Shorewall box to solve this problem (see
> > http://shorewall.net/myfiles.htm).
>
> Just my two cents... but if you do install a samba server to act as a WINS
> server, be sure to configure Samba to NOT win the domain master browser
> election. Your PDC needs to win that election. Winning the local master
> browser (LMB) election is all that I allow samba to win in my
configuration
> between network segments.
>
> Steve Cowles
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> I have this setup in rh 7.3 with samba working connecting to windoz
domains (domain controllers), I just recently downloaded rh 9.0
and low and behold it is really simular to microsofts configuration
GUI''s,
it immediately found all the windows machines on my network right out of the
box config.
I belive you are refering to Netbeui Not netbios as non routable Follow
Tom''s Section on Samba ports to allow between the segments and you
should be
able to
connect to your domain controllers

Mike

I thought if you pointed everything at the WINS server, PDC included, there
wouldn''t be any election.
I thought the point of WINS was to eliminate the crappy election process.

dave


----- Original Message -----
From: "Cowles, Steve" <steve@stevecowles.com>
> Just my two cents... but if you do install a samba server to act as a WINS
> server, be sure to configure Samba to NOT win the domain master browser
> election. Your PDC needs to win that election. Winning the local master
> browser (LMB) election is all that I allow samba to win in my
configuration
> between network segments.

David Kempe wrote:
> I thought if you pointed everything at the WINS server, PDC included,
> there wouldn''t be any election.
In a perfect world (according to Microsoft) you would place a WINS server on
each lan segment. Then configure each MS client to register with the local
WINS server on that segment. Each WINS server is then configured to
replicate its registrations (database) to the other WINS servers on the
other LAN segments. Only replicating changes as clients
register/de-register. This keeps browser (network neighborhood) requests
local. This is especially useful if you have remote offices (LAN''s)
that are
connected by VPN''s. The last thing you want is a 1000+ node browser
list
spanning your VPN everytime someone opens network neighborhood.

Of course, the above perfect world is based on using the old NT4 based
PDC/BDC (like me). Active Directory is a different ball of wax all together.
> I thought the point of WINS was to eliminate the crappy election
> process.
You would think that, but then we are dealing with Microsoft and MS
networking. There is still an election process for the local master browser
and/or the domain master browser. Turn on ethereal and watch the election
process taking place on each LAN segment. 

FWIW: I have a MS based (NT4) PDC and WINS server on my LAN and the election
process is always taking place. In fact, if I configure Samba as the WINS
server (instead of the PDC) and set its parameters to win the election
process (OS level, etc...), I get a nasty event log message on the PDC
stating that it lost the domain master browser election to another system
that is not a PDC and it will continue to try and win the election process
back. Go figure!

Steve Cowles

Thanks Tom for your help.

Please tell me if I am right or wrong, to setup a WINS server (using samba) on
the fw, would that be the best way / solution ? As I have problems connecting
some of the shares if it is on the other network (C for example) when connecting
from B network.

Thanks,

> 
> From: Tom Eastep <teastep@shorewall.net>
> Subject: Re: [Shorewall-users] Shorewall with MS Windows PDC
> Date: 18/08/2003 4:27:17
> To: deya@ozemail.com.au,  shorewall-users@lists.shorewall.net
> 
> On Mon, 18 Aug 2003 4:17:31 +1000, <deya@ozemail.com.au> wrote:
> 
> > Hi,
> >
> > I have a network with 4 NIC, one external, DMZ, and two internal, B
& C.
> >
> > It has been setup correctlly and working now.
> >
> > The problem I have now, is any client workstation running on network
B,
> > MSWindows 2K / XP / NT cannot connect to the primary domain controller
> > which is in network C. The clients cannot even see the network domain
in
> > the explorere window.
> >
> > I believe the problem is related to NetBios, which is not routable,
but I
> > am not sure how to fix this issue which is a serious one, as no one
can
> > connect from the client to the main server.
> >
> > Any help is appreciated.
> 
> This question really has nothing to do with Shorewall. Any time you place 
> any kind of router in the middle of a flock of Windoze systems, you have 
> the problem that you describe. You must add a WINS server to your network 
> then configure the Windoze systems to use that server. I personally run 
> Samba on my Shorewall box to solve this problem (see 
> http://shorewall.net/myfiles.htm).
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
This message was sent through MyMail http://www.mymail.com.au

On Mon, 2003-08-18 at 11:59, deya@ozemail.com.au wrote:
> Thanks Tom for your help.
> 
> Please tell me if I am right or wrong, to setup a WINS server (using samba)
on the fw, would that be the best way / solution ? As I have problems connecting
some of the shares if it is on the other network (C for example) when connecting
from B network.
> 
Please post in plain text and configure your mailer to fold lines.

You are much better off listening to Steve Cowles''s advice on this
issue
rather than mine as he knows a lot more about MS networking than I do.

I don''t run a PDC here and running Samba as a WINS server on my
firewall
works fine for me.

I have two separate LAN segments related to zones ''loc'' and
''WiFi''.

My rules related to MS networking are:

# WIFI to Firewall
#
ACCEPT   WiFi   fw   tcp     ssh,137,139,445
ACCEPT   WiFi   fw   udp     137:139,445
ACCEPT   WiFi   fw   udp     1024:              137
###################################################
# Firewall to WIFI
#
ACCEPT   fw     WiFi tcp     137,139,445
ACCEPT   fw     WiFi udp     137:139,445
ACCEPT   fw     WiFi udp     1024:              137
###################################################
# WIFI to loc
#
ACCEPT   WiFi   loc  udp     137:139
ACCEPT   WiFi   loc  tcp     137,139,445
ACCEPT   WiFi   loc  udp     1024:              137
###################################################
# loc to WiFi
#
ACCEPT   loc    WiFi udp     137:139
ACCEPT   loc    WiFi tcp     137,139,445
ACCEPT   loc    WiFi udp     1024:              137

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net