Hi I have my vpn working as outlined in the manual. I have a road warrior connection which connects to a firewall. On the other side of the firewall I have a samba server which I can connect from the road-warrior if I enter \\192.168.0.4 into the address bar of windows explorer, but the domain name appears as "Unkown" in the network neighbourhood, and I cannot automatically see the other computers on the lan unless I type their ip addresses into the explorer. Is this a firewall issue ? I have tried <snip> ACCEPT vpn loc udp 137:139 ACCEPT vpn loc tcp 137,139,445 ACCEPT vpn loc udp 1024: 137 ACCEPT loc vpn udp 137:139 ACCEPT loc vpn tcp 137,139,445 ACCEPT loc vpn udp 1024: 137 </snip> I have also tried running samba directly on the firewall with the following rules but still the same problem. ACCEPT vpn fw udp 137:139 ACCEPT vpn fw tcp 137,139,445 ACCEPT vpn fw udp 1024: 137 ACCEPT fw vpn udp 137:139 ACCEPT fw vpn tcp 137,139,445 ACCEPT fw vpn udp 1024: 137 ACCEPT loc fw udp 137:139 ACCEPT loc fw tcp 137,139,445 ACCEPT loc fw udp 1024: 137 ACCEPT fw loc udp 137:139 ACCEPT fw loc tcp 137,139,445 ACCEPT fw loc udp 1024: 137
Robin M. wrote:> Hi I have my vpn working as outlined in the manual. > > I have a road warrior connection which connects to a firewall. On the > other side of the firewall I have a samba server which I can connect from > the road-warrior if I enter > > \\192.168.0.4 > > into the address bar of windows explorer, but the domain name appears as > > "Unkown" > > in the network neighbourhood, and I cannot automatically see the other > computers on the lan unless I type their ip addresses into the explorer. > > Is this a firewall issue ?No. It is the way that Windows networking works across different networks. Read the last paragraph at http://shorewall.net/samba.htm -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Robin M. wrote:> Hi I have my vpn working as outlined in the manual. > > I have a road warrior connection which connects to a firewall. On the > other side of the firewall I have a samba server which I can connect > from the road-warrior if I enter > > \\192.168.0.4 > > into the address bar of windows explorer, but the domain name appears > as > > "Unkown" > > in the network neighbourhood, and I cannot automatically see the other > computers on the lan unless I type their ip addresses into the > explorer.1) Is your samba server configured as a WINS server? 2) If so, are all clients on your LAN (the ones your trying to connect to using windows explorer/network neighborhood) configured to register with the WINS server? i.e. netbios-node-type=0x8 or hybrid (versus the default netbios-node-type of broadcast) 3) Is your VPN client configured to register with your WINS server? If the answer to anyone of the above is no... Then browsing across a VPN is next to impossible unless you manually edit the lmhosts file on your VPN client and add all MS domains, master browser and the netbios names of all your hosts. Basically, you have to re-create the WINS server registration database on your VPN client.
On Sun, 9 May 2004, Tom Eastep wrote:> Robin M. wrote: > > Hi I have my vpn working as outlined in the manual. > > > > I have a road warrior connection which connects to a firewall. On the > > other side of the firewall I have a samba server which I can connect from > > the road-warrior if I enter > > > > \\192.168.0.4 > > > > into the address bar of windows explorer, but the domain name appears as > > > > "Unkown" > > > > in the network neighbourhood, and I cannot automatically see the other > > computers on the lan unless I type their ip addresses into the explorer. > > > > Is this a firewall issue ? > > No. It is the way that Windows networking works across different > networks. Read the last paragraph at http://shorewall.net/samba.htm >Hi Tom, thanks for confirming this is not a firewall issue. I see you have a wins server on your firewall and another smb server on the inside. I will try to find out more about how this works on the samba list.
On Sun, 9 May 2004, Cowles, Steve wrote:> Robin M. wrote: > > Hi I have my vpn working as outlined in the manual. > > > > I have a road warrior connection which connects to a firewall. On the > > other side of the firewall I have a samba server which I can connect > > from the road-warrior if I enter > > > > \\192.168.0.4 > > > > into the address bar of windows explorer, but the domain name appears > > as > > > > "Unkown" > > > > in the network neighbourhood, and I cannot automatically see the other > > computers on the lan unless I type their ip addresses into the > > explorer. > > 1) Is your samba server configured as a WINS server? > 2) If so, are all clients on your LAN (the ones your trying to connect to > using windows explorer/network neighborhood) configured to register with the > WINS server? i.e. netbios-node-type=0x8 or hybrid (versus the default > netbios-node-type of broadcast) > 3) Is your VPN client configured to register with your WINS server? > > If the answer to anyone of the above is no... Then browsing across a VPN is > next to impossible unless you manually edit the lmhosts file on your VPN > client and add all MS domains, master browser and the netbios names of all > your hosts. Basically, you have to re-create the WINS server registration > database on your VPN client.Thanks for the checklist. I was able to answer yes to #1, and I will read up on how I can fulfill the rest of the item, and I will read up on samba now that this is confirmed ot not be a firewall issue.
Hi, just configured a shorewall-box with identical setting as a machine which works for passing pptp via dnat to an internal pptp server (win). Unfortunately we cannot establish a connection and tcpdump tells (from firewall to client) icmp: my_host protocol 47 unreachable [tos 0xc0]. What could I do now, to troubleshoot? We followed exactly the dnat settings in your docu. Thx Andy
Andreas Krause wrote:> Hi, > > just configured a shorewall-box with identical setting as a machine > which works for passing pptp via dnat to an internal pptp server (win). > > Unfortunately we cannot establish a connection and tcpdump tells (from > firewall to client) icmp: my_host protocol 47 unreachable [tos 0xc0]. > > What could I do now, to troubleshoot?Andreas -- FAQs #1a and #1b give information about how to troubleshoot port forwarding problems. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
sorry, if my last mail came double (server probs :-) Am Mittwoch, 7. Juli 2004 16:26 schrieb Tom Eastep:> Andreas Krause wrote: > > Hi, > > > > just configured a shorewall-box with identical setting as a machine > > which works for passing pptp via dnat to an internal pptp server (win). > > > > Unfortunately we cannot establish a connection and tcpdump tells (from > > firewall to client) icmp: my_host protocol 47 unreachable [tos 0xc0]. > > > > What could I do now, to troubleshoot? > > Andreas -- FAQs #1a and #1b give information about how to troubleshoot > port forwarding problems.Did everything, no chance. DNAT is from net to loc for tcp/1723 and proto/47 Packetcount says 1 for 1723, but 0 for prot 47 ISP is NOT blocking Andy
Andreas Krause wrote:>>>Unfortunately we cannot establish a connection and tcpdump tells (from >>>firewall to client) icmp: my_host protocol 47 unreachable [tos 0xc0]. >>> >>>What could I do now, to troubleshoot? >> >>Andreas -- FAQs #1a and #1b give information about how to troubleshoot >>port forwarding problems. > > > Did everything, no chance. > DNAT is from net to loc for tcp/1723 and proto/47 > Packetcount says 1 for 1723, but 0 for prot 47 > ISP is NOT blockingPlease post: a) output of "shorewall status" (as an attachment) after you have attempted to connect. b) output of "lsmod" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Mit, 2004-07-07 at 07:55 -0700, Tom Eastep wrote:> Andreas Krause wrote: > > >>>Unfortunately we cannot establish a connection and tcpdump tells (from > >>>firewall to client) icmp: my_host protocol 47 unreachable [tos 0xc0]. > >>> > >>>What could I do now, to troubleshoot? > >> > >>Andreas -- FAQs #1a and #1b give information about how to troubleshoot > >>port forwarding problems. > > > > > > Did everything, no chance. > > DNAT is from net to loc for tcp/1723 and proto/47 > > Packetcount says 1 for 1723, but 0 for prot 47 > > ISP is NOT blocking > > Please post: > > a) output of "shorewall status" (as an attachment) after you have > attempted to connect. >I would not mind, but there are too many "internal" data in that output :-)> b) output of "lsmod"attached thx Andy
Andy wrote:> On Mit, 2004-07-07 at 07:55 -0700, Tom Eastep wrote: > >>Andreas Krause wrote: >> >> >>>>>Unfortunately we cannot establish a connection and tcpdump tells (from >>>>>firewall to client) icmp: my_host protocol 47 unreachable [tos 0xc0]. >>>>> >>>>>What could I do now, to troubleshoot? >>>> >>>>Andreas -- FAQs #1a and #1b give information about how to troubleshoot >>>>port forwarding problems. >>> >>> >>>Did everything, no chance. >>>DNAT is from net to loc for tcp/1723 and proto/47 >>>Packetcount says 1 for 1723, but 0 for prot 47 >>>ISP is NOT blocking >> >>Please post: >> >>a) output of "shorewall status" (as an attachment) after you have >>attempted to connect. >> > > > I would not mind, but there are too many "internal" data in that > output :-)Then I don''t know how much more I can help you (if you''re not willing to send me the output privately).> > >>b) output of "lsmod" > > attachedYou might see if it works if you unload all of the pptp/gre conntrack/nat modules -- there are some broken versions of those around. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Mit, 2004-07-07 at 14:08 -0700, Tom Eastep wrote:> Andy wrote: > > On Mit, 2004-07-07 at 07:55 -0700, Tom Eastep wrote: > > > >>Andreas Krause wrote: > >> > >> > >>>>>Unfortunately we cannot establish a connection and tcpdump tells (from > >>>>>firewall to client) icmp: my_host protocol 47 unreachable [tos 0xc0]. > >>>>> > >>>>>What could I do now, to troubleshoot? > >>>> > >>>>Andreas -- FAQs #1a and #1b give information about how to troubleshoot > >>>>port forwarding problems. > >>> > >>> > >>>Did everything, no chance. > >>>DNAT is from net to loc for tcp/1723 and proto/47 > >>>Packetcount says 1 for 1723, but 0 for prot 47 > >>>ISP is NOT blocking > >> > >>Please post: > >> > >>a) output of "shorewall status" (as an attachment) after you have > >>attempted to connect. > >> > > > > > > I would not mind, but there are too many "internal" data in that > > output :-) > > Then I don''t know how much more I can help you (if you''re not willing to > send me the output privately).did it ;-)> > > > > >>b) output of "lsmod" > > > > attached > > You might see if it works if you unload all of the pptp/gre > conntrack/nat modules -- there are some broken versions of those around. >I''ll check Andy
Andy wrote:>>> >>>I would not mind, but there are too many "internal" data in that >>>output :-) >> >>Then I don''t know how much more I can help you (if you''re not willing to >>send me the output privately). > > > did it ;-) > > >>> >>>>b) output of "lsmod" >>> >>>attached >> >>You might see if it works if you unload all of the pptp/gre >>conntrack/nat modules -- there are some broken versions of those around. >> > > > I''ll checkI hope that fixes it because I''m out of ideas -- your ruleset looks fine but the Proto 47 packets aren''t reaching the ''nat'' table''s PREROUTING chain. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net