Hash: SHA1

David Brown wrote:
> Hi,
> As far as I have read (on the samba website), workgroups will work fine
> across subnets - as long as you have WINS working fully.  DNS will get
> you some of the way, but is not complete in itself as WINS stores a
> "type" as well as the name (so that it can distinguish between clients,
> services, master browsers, etc.).  But if you don't have WINS setup on
> every machine, or have two WINS servers on the network, things go wrong
> quickly.  The examples on the samba website (at least, the ones I looked
> at) all have a single workgroup, which is okay for me (if I had to split
> it by subnet, that would be okay too).
> I'm still not quite sure what firewall and routing rules are needed
> between the networks - if anyone knows a website with a clear
> explanation I'd be glad to see it.
> My understanding at the moment is that the rules for name service (nmbd)
> and sharing (smbd) are slightly different - every computer on each (LAN)
> subnet will need nmbd access (udp 137, udp 138) to the WINS server, and
> the WINS server will need the same access to each machine (since it
> needs to contact the local master browser on each subnet, which could be
> any machine).  Additionally, the domain master browser (totally
> different thing from a domain controller, even if they happen to be the
> same machine) needs the same access to the local master browsers - I'd
> use the same samba server for that as for WINS.  There is no need for
> name service access to or from servers on any network (except to and
> from the WINS server).
> For the file serving (tcp 135, tcp 139, tcp 445), then access only has
> to be as one would expect for a server - if a client on Lan 1 needs
> access to a server on Lan 2, then the smb ports need to be opened for
> that route.
> As for the idea of a "god box" - I can sympathise somewhat.  When I
> discussed hardware for a new firewall with my local computer shop (they
> are quite good for hardware, but are solidly windows-only), their idea
> of an advanced firewall (as distinct from a ready-made appliance) was a
> large, fast server (including SCSI disks for reliability), lots of
> single-port network cards, and - wait for it - Microsoft "Internet
> Security and Acceleration" server.  Estimated hardware costs of around
> $3500 - I don't know what the software costs would be, and it was not
> exactly what I had in mind when I think of "security" !
> mvh.,
> David
> DarkFoon wrote:
>> I was hired to do the same thing for a small business a year ago.
>> I learned about a month and a half into the project that windows shares,
>> while they work across subnets, the hostname can't be used because of
>> WINS,
>> only the IP address. Workgroups especially do not work across subnets. I
>> would like to know if DNS will work for your workgroup. I can't
>> remember if
>> I tried that, or even had the proper settings for get it to work.
>> My employer's entire network was set up with a workgroup that had been
>> tweaked to act sorta like a domain. I set up a FreeBSD domain server,
>> but he
>> wanted a "god box" that was his domain server, web server,
>> firewall-which I
>> wouldn't build due to security reasons-and he had some custom server
>> software that would only work under windows, so I was let go; his son
>> can do
>> windows stuff for free.
>> Sorry, I got off topic there.
>> WebDAV over https sounds like an interesting idea.
>> I hope I have been of some help.
>> ----- Original Message ----- From: "David Brown" <[EMAIL PROTECTED]>
>> To: <discussion@pfsense.com>
>> Sent: Thursday, January 04, 2007 12:09 AM
>> Subject: [pfSense-discussion] Windows shares across the firewall
>>> I'm planning to set up a new firewall/router at our company, and am
>>> leaning towards using pfSense because I want several green networks
>>> (either using multiple ports on the firewall machine, or using a managed
>>> switch and VLANs - as far as I understand it, they can work the same
>>> way).
>>> There are going to be a couple of server machines on different branches
>>> of the LANs, but I need access to them from the other branches.  The
>>> setup I've planned looks like this:
>>> /-----------\
>>> |           |-red1----internet
>>> |  pfSense  |-red2----(second internet connection, optional)
>>> |           |
>>> |           |-orange--DMZ---web server, mail server, squid, etc.
>>> |           |
>>> |           |-blue---(wireless for laptops, including visitors)
>>> |           |               |               |            |
>>> |           |           LinkSys WRT54GL    LinkSys      LinkSys
>>> |           |            /   \              /   \        /   \
>>> |           |         laptops, etc.
>>> |           |
>>> |           |-green1---LAN (192.168.1.x)---server1.1, pc1.1, pc1.2, etc.
>>> |           |
>>> |           |-green2---LAN (192.168.2.x)---server2.1, pc2.1, pc2.2, etc.
>>> |           |
>>> |           |-green3---LAN (192.168.3.x)---server3.1, pc3.1, pc3.2, etc.
>>> |           |
>>> \-----------/
>>> Making appropriate firewall and routing rules for access to the DMZ
>>> servers from the green LANs is easy enough, as are things like allowing
>>> ssh access on different LANs for administrative purposes.  But it is
>>> also important that I can get windows share access in some way across
>>> the LANs.  For example, pc1.2 (say, should be able to
>>> mount a share on server2.1 (, while the reverse is not true
>>> (i.e., no machine on LAN2 should see the pc's on LAN1).  Is it
>>> sufficient, and safe, to simply open a pinhole for traffic on port 139
>>> towards from 192.168.1.x ?  I suppose I could set up VPNs
>>> somewhere to tunnel traffic around, but I can't see that this would
>>> actually improve matters (I have no need to encrypt traffic passing
>>> between greens) - I would need similar rules to limit the VPN traffic.
>>> In fact, I'm assuming that once I've got things figured for cross-green
>>> routing, I can use the same sorts of rules for VPN's from laptops on the
>>> blue zone or attaching via the internet.
>>> As far as I can tell, it is only the share access that I need from the
>>> SMB/CIFS protocols.  pfSense's DNS server should be able to handle
>>> naming, and I am not running a windows domain (it's all set up as a
>>> workgroup).
>>> If I can't get a stable and secure arrangement for SMB sharing, what are
>>> my other options?  At the moment, we have a couple of linux file servers
>>> and one old windows one, which can be replaced if it is not flexible
>>> enough.  I've heard of using WebDAV as a protocol - W2K and XP (and
>>> linux, and presumably FreeBSD :-) can mount WebDAV paths, and use them
>>> directly.  If the WebDAV access is over https, then it could be used
>>> directly from outside the LANs without needing a VPN.  Another idea I
>>> have read about is using a SFTP server along with WebDrive software.
>>> Any hints, tips, website pointers, or comments about how only an idiot
>>> would arrange things like that, would be much appreciated.
>>> mvh.,
>>> David

        WINS name resolution must be done via Samba or an equivalent Windows
DNS-enabled machine, or you will have to use the full or partial DNS
qualified names in resolving servers. See
for an example of what I'm referring to (discussion is a bit old, but
still applies AFAIK).
        For WINS you need (IIRC) ports 137-139, maybe (netbios stuff), and 443
(Microsoft DNS aka "mdns") to be allowed through the firewall. You need
ports 137-139 for sure with 443 for SMB/CIFS based file/printer sharing
though, along with whatever ports you have in use for mountd since RPC
uses random ports for mapping out different related services (see your
OS's documentation for that).
- -Garrett
Version: GnuPG v2.0.1 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Reply via email to