Hello, everybody. This one''s got me stumped. What I''m trying to do is have two networks--192.168.1.0 and 192.168.2.0--with SMB and WINS running between them. So far I can mount SMB shares allright, but I can''t browse by WINS names across the router. I''ve posted this question on Linuxquestions.org; you''ll find the details there. Here are my rules: ACCEPT loc net:192.168.1.1,192.168.1.249,192.168.1.250 ACCEPT net:192.168.1.1,192.168.1.249,192.168.1.250 loc ACCEPT loc net tcp smtp ACCEPT loc net tcp http ACCEPT loc net tcp ftp AllowPing loc net ACCEPT loc net tcp pop3 AllowSSH loc fw AllowSSH net fw AllowPing loc fw AllowPing fw loc AllowPing fw net ACCEPT net:192.168.1.248,192.168.1.249,192.168.1.250 fw AllowSMB loc net AllowSMB net loc AllowSMB net fw AllowSMB loc fw AllowSNMP loc net My policies are currently all set to ACCEPT (except for the all-all line, which is DROP). Here is some general info: Shorewall version 2.4 ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:50:04:11:f8:1a brd ff:ff:ff:ff:ff:ff inet 192.168.2.247/24 brd 192.168.2.255 scope global eth0 3: ra0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:12:17:98:ab:64 brd ff:ff:ff:ff:ff:ff inet 192.168.1.247/24 brd 192.168.1.255 scope global ra0 ip route show 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.247 192.168.1.0/24 dev ra0 proto kernel scope link src 192.168.1.247 127.0.0.0/8 dev lo scope link default via 192.168.1.1 dev ra0 More info is at: http://www.linuxquestions.org/questions/showthread.php?s=&postid=1702983#post1702983 I''d greatly appreciate any help you are willing to give. Thanks! --Dane
Hi, Phil and thanks for the (quick!) reply! I''ve got a few questions on the suggestions you made. They all seem to make sense, but I don''t know how to implement them.> I see what the problem is Dane, it''s not a firewall issue but the fact you > actually need 2 WINS servers, one on each subnet.I (think I) know how to set up a WINS server on the router as well (or should it be on one of the clients?), but how do i make sure that the two servers can talk to each other properly? Will there be any conflicts that I need to watch out for?> Good luck is all I can say, I have got similar setups to work sometimes and > not others, what you do need to do as well is make sure that NONE, and I do > mean NONE of the pc''s on either subnet are setup to be master browsers.Thanks :-). Is there a command I can use to accomplish this? It''s my understanding that there has to be at least one master browser, but, of course, if I understood everything I wouldn''t be asking questions...> One way to test what is going on is to go onto one of the boxes (I''ll use > 192.168.0.5 in this case) and if it is a linux box type in : > #nmblookup <smb name of pc on 192.168.1.0> > if it is working properly you will get a reply telling you it is trying the > wins server then trying broadcast, if all works well you will get the IP > address back. > > If it isn''t working it will probably give you a reply saying it is unable > to resolve the name.I attempted to lookup Yesteryear (192.168.1.249) from oldShoe (192.168.2.111) using my current configuration. Here is the output: dane@oldShoe $ nmblookup Yesteryear querying Yesteryear on 192.168.2.255 name_query failed to find name Yesteryear It seems to be unable to find the WINS server (Yesteryear) by name. Perhaps this will not be an issue after I figure out how to make the changes you suggested.> > If you are giving out IP''s by DHCP please ensure the lease time is a > reasonable length of time (i.e. 1 day or whatever) not 1 hour like the last > place I worked!ONE HOUR?! What weird people! :-D I''m mostly using static IPs, but I''ll keep that in mind as I implement dynamic ones. Thanks again. I look forward to your reply. --Dane
Thanks for the help, Kenneth! That''s more or less what I''ve got going on. Currently eth0 is connected to the 192.168.2.0 network and ra0 (wireless) is connected to the 192.168.1.0 network. I have the two networks connected through masquerading, but I don''t know if that''s the right way to do it. I have two questions: 1. How do I configure Shorewall for routing instead of being a gateway? I''m pretty sure that whatever I''m doing, I''m doing badly, but I don''t really understand what the difference is between the two as far as Shorewall is concerned. 2. What entry should I put into smb.conf to specify the two interfaces? I appreciate your taking the time to help. --Dane On Friday 24 June 2005 07:53 am, Kenneth Oncinian wrote:> Phil, > > If this 2 subnet is located physically on the same location, then you > can just drop routing and use > a linux gateway instead. (2 nic) > eth0 of this linux box is the gateway of lan1 and eth1 is the gateway of > lan2. > then configure this linux box as the master browser and wins server, > specify the subnet of the 2 networks > in the interface option of smb.conf. > > lan1 and lan2 should then be able to see each other. > > > HTH, > Kenneth > > Phil Foxton wrote: > > http://www.linuxquestions.org/questions/showthread.php?s=&postid=1702983# > >post1702983 > > > >> I''d greatly appreciate any help you are willing to give. Thanks! > >> > >> --Dane > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Thanks again for your reply. How do I set up the clients, routing tables, etc. to work with IP forwarding? I echoed 1 to that file like you said, but still I can''t ping by name. Should I remove the masq entries? I''ve never done IP forwarding before. It sounds simple enough, but I lack the necessary details. Thanks for your time. --Dane On Friday 24 June 2005 08:57 am, Kenneth Oncinian wrote:> > and ra0 (wireless) is > >connected to the 192.168.1.0 network. > > personally, I dont think a wireless device is appropriate for this job > (performance and reliability reasons?) > > >I have the two networks connected > >through masquerading, but I don''t know if that''s the right way to do it. > > simple ip forwarding would do it, you dont even need shorewall for this > job. echo "1" > /proc/sys/net/ipv4/ip_forward > > > I > >have two questions: > > > >1. How do I configure Shorewall for routing instead of being a gateway? > > I''m pretty sure that whatever I''m doing, I''m doing badly, but I don''t > > really understand what the difference is between the two as far as > > Shorewall is concerned. > > I think you want the other way around, ip_forwarding instead of routing. > This has nothing to do with shorewall. > > >2. What entry should I put into smb.conf to specify the two interfaces? > > eg. > > [global] > interfaces = 192.168.1.0/24 192.168.2.0/24 > > >I appreciate your taking the time to help. > > > >--Dane > > > >On Friday 24 June 2005 07:53 am, Kenneth Oncinian wrote: > >>Phil, > >> > >>If this 2 subnet is located physically on the same location, then you > >>can just drop routing and use > >>a linux gateway instead. (2 nic) > >>eth0 of this linux box is the gateway of lan1 and eth1 is the gateway of > >>lan2. > >>then configure this linux box as the master browser and wins server, > >>specify the subnet of the 2 networks > >>in the interface option of smb.conf. > >> > >>lan1 and lan2 should then be able to see each other. > >> > >> > >>HTH, > >>Kenneth > >> > >>Phil Foxton wrote: > >>>http://www.linuxquestions.org/questions/showthread.php?s=&postid=1702983 > >>># post1702983 > >>> > >>>>I''d greatly appreciate any help you are willing to give. Thanks! > >>>> > >>>>--Dane > >> > >>_______________________________________________ > >>Shorewall-users mailing list > >>Post: Shorewall-users@lists.shorewall.net > >>Subscribe/Unsubscribe: > >>https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > >>http://www.shorewall.net/support.htm > >>FAQ: http://www.shorewall.net/FAQ.htm > > > >_______________________________________________ > >Shorewall-users mailing list > >Post: Shorewall-users@lists.shorewall.net > >Subscribe/Unsubscribe: > > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > > http://www.shorewall.net/support.htm > >FAQ: http://www.shorewall.net/FAQ.htm > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Phil, If this 2 subnet is located physically on the same location, then you can just drop routing and use a linux gateway instead. (2 nic) eth0 of this linux box is the gateway of lan1 and eth1 is the gateway of lan2. then configure this linux box as the master browser and wins server, specify the subnet of the 2 networks in the interface option of smb.conf. lan1 and lan2 should then be able to see each other. HTH, Kenneth Phil Foxton wrote:> http://www.linuxquestions.org/questions/showthread.php?s=&postid=1702983#post1702983 > > > >> I''d greatly appreciate any help you are willing to give. Thanks! >> >> --Dane >> >
http://www.linuxquestions.org/questions/showthread.php?s=&postid=1702983#post1702983> > I''d greatly appreciate any help you are willing to give. Thanks! > > --DaneI see what the problem is Dane, it''s not a firewall issue but the fact you actually need 2 WINS servers, one on each subnet. Good luck is all I can say, I have got similar setups to work sometimes and not others, what you do need to do as well is make sure that NONE, and I do mean NONE of the pc''s on either subnet are setup to be master browsers. One way to test what is going on is to go onto one of the boxes (I''ll use 192.168.0.5 in this case) and if it is a linux box type in : #nmblookup <smb name of pc on 192.168.1.0> if it is working properly you will get a reply telling you it is trying the wins server then trying broadcast, if all works well you will get the IP address back. If it isn''t working it will probably give you a reply saying it is unable to resolve the name. If you are giving out IP''s by DHCP please ensure the lease time is a reasonable length of time (i.e. 1 day or whatever) not 1 hour like the last place I worked!
> > > and ra0 (wireless) is >connected to the 192.168.1.0 network. >personally, I dont think a wireless device is appropriate for this job (performance and reliability reasons?)>I have the two networks connected >through masquerading, but I don''t know if that''s the right way to do it. >simple ip forwarding would do it, you dont even need shorewall for this job. echo "1" > /proc/sys/net/ipv4/ip_forward> I >have two questions: > >1. How do I configure Shorewall for routing instead of being a gateway? I''m >pretty sure that whatever I''m doing, I''m doing badly, but I don''t really >understand what the difference is between the two as far as Shorewall is >concerned. > >I think you want the other way around, ip_forwarding instead of routing. This has nothing to do with shorewall.>2. What entry should I put into smb.conf to specify the two interfaces? > >eg. [global] interfaces = 192.168.1.0/24 192.168.2.0/24>I appreciate your taking the time to help. > >--Dane > >On Friday 24 June 2005 07:53 am, Kenneth Oncinian wrote: > > >>Phil, >> >>If this 2 subnet is located physically on the same location, then you >>can just drop routing and use >>a linux gateway instead. (2 nic) >>eth0 of this linux box is the gateway of lan1 and eth1 is the gateway of >>lan2. >>then configure this linux box as the master browser and wins server, >>specify the subnet of the 2 networks >>in the interface option of smb.conf. >> >>lan1 and lan2 should then be able to see each other. >> >> >>HTH, >>Kenneth >> >>Phil Foxton wrote: >> >> >>>http://www.linuxquestions.org/questions/showthread.php?s=&postid=1702983# >>>post1702983 >>> >>> >>> >>>>I''d greatly appreciate any help you are willing to give. Thanks! >>>> >>>>--Dane >>>> >>>> >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: >>https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: >>http://www.shorewall.net/support.htm >>FAQ: http://www.shorewall.net/FAQ.htm >> >> >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >
Thanks, everybody for your help! I finally figured it out by following clues from this group and others. Here is the solution: http://www.linuxquestions.org/questions/showthread.php?s=&postid=1702983 --Dane On Friday 24 June 2005 01:12 am, Dane Mutters wrote:> Thanks for the help, Kenneth! That''s more or less what I''ve got going on. > Currently eth0 is connected to the 192.168.2.0 network and ra0 (wireless) > is connected to the 192.168.1.0 network. I have the two networks connected > through masquerading, but I don''t know if that''s the right way to do it. I > have two questions: > > 1. How do I configure Shorewall for routing instead of being a gateway? > I''m pretty sure that whatever I''m doing, I''m doing badly, but I don''t > really understand what the difference is between the two as far as > Shorewall is concerned. > > 2. What entry should I put into smb.conf to specify the two interfaces? > > I appreciate your taking the time to help. > > --Dane > > On Friday 24 June 2005 07:53 am, Kenneth Oncinian wrote: > > Phil, > > > > If this 2 subnet is located physically on the same location, then you > > can just drop routing and use > > a linux gateway instead. (2 nic) > > eth0 of this linux box is the gateway of lan1 and eth1 is the gateway of > > lan2. > > then configure this linux box as the master browser and wins server, > > specify the subnet of the 2 networks > > in the interface option of smb.conf. > > > > lan1 and lan2 should then be able to see each other. > > > > > > HTH, > > Kenneth > > > > Phil Foxton wrote: > > > http://www.linuxquestions.org/questions/showthread.php?s=&postid=170298 > > >3# post1702983 > > > > > >> I''d greatly appreciate any help you are willing to give. Thanks! > > >> > > >> --Dane > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > > http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Dane Mutters
2005-Jun-27  01:23 UTC
Re: Re: WINS across two networks and a router [SOLVED!]
On Monday 27 June 2005 07:12 am, Paul Gear wrote:> Dane Mutters wrote: > > Thanks, everybody for your help! I finally figured it out by following > > clues from this group and others. Here is the solution: > > http://www.linuxquestions.org/questions/showthread.php?s=&postid=1702983 > > For posterity, let it be said that "friends don''t let friends run WINS > or Win98"! ;-)Laugh!> > -- > Paul Gear, Manager IT Operations, Redlands College > 38 Anson Road, Wellington Point 4160, Australia > (Please send attachments in portable formats such as PDF, HTML, or > OpenOffice.)
Dane Mutters wrote:> Thanks, everybody for your help! I finally figured it out by following clues > from this group and others. Here is the solution: > http://www.linuxquestions.org/questions/showthread.php?s=&postid=1702983For posterity, let it be said that "friends don''t let friends run WINS or Win98"! ;-) -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.