1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN & NetBIOS - One Way traffic ?

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Bryanba, Oct 18, 2006.

  1. Bryanba

    Bryanba LI Guru Member

    As much as I have been clamoring for NetBIOS over VPN to function properly for Linksys routers with the various break-then-fix firmware revisions, there's a problem with using it that I hope a solution exists..

    I have a gateway-gateway tunnel established between my home LAN and the Office LAN.. RV042's on both ends.. I am able to browse the Office LAN and connect to resources, no problem.. It works fine..

    The problem is that office users can browse my network at home also. It's not such a problem in reality since no one at this office knows how to do this but I'd prefer if they couldn't see my network at all.. The two LANS have different workgroups so the office users would have to go to "My Computer" / "Entire Network" / Microsoft Windows Network" / and click on my Home workgroup to see the computers on that LAN.. They can't connect or browse resources because of share permissions however I'd prefer them not be able to see it at all..

    Would disabling the NETBIOS BROADCASTS on either end of the tunnel allow me to see the Office network and not vice-versa, and if so.. on which end would I disable it? Or is this just an inherent caveat of using NetBIOS that can't be worked around?


    Thanks
    Bryan
     
  2. pablito

    pablito Network Guru Member

    I would turn off the broadcasts on both sides, noisy traffic. If you have a WINS at the office end you could point your home machine at it to get the office list which then prevents your end from broadcasting to the office. There are other ways to get a listing from one side and not broadcast to the other. Depends on what you have/need at the house.

    I have a user with VPN at home and he can use the office servers without any problem but the office can't see him unless they know his IP and how to bully their way in.
     
  3. Bryanba

    Bryanba LI Guru Member


    Wanna share how that's done?

    I am able to setup WINS and have thought about it before. The reason I use NETBios is that BEFORE the RV042, our prior BEFVP41 worked well WITH NETBios enabled. There is little impact with NETBios enabled.

    In fact, the BEFVP41 was so much more reliable a VPN router than the RV042 that I would switch back if we didn't need the PPTP and/or QuickVPN connections for mobile users now. Linksys products have suffered in quality and their tech support is dangerously ignorant.

    Thanks
     
  4. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    I'd don't use netbios passthrough on any of the VPN setups I use, slows down the tunnel too much. I prefer using DNS.

    For one large client that has a fleet of nurses using laptops to VPN and synch their data....I just use the old hosts file pointing to the database server and DC.

    I find the RV082 and RV016s far stronger than the BEFV series..I couldn't stand those, back in those days I used the BEFSX models.
     
  5. Bryanba

    Bryanba LI Guru Member

    I've had nothing but problems out of the RV042. VPN connections constantly dropping without being able to reconnect. The BEFVP41 that it replaced worked for 3 years with multiple tunnels AND NetBios without a SINGLE problem. We've had so many problems with the RV that we're seriously considering putting the BEF back into operation. I may be asked to do that tomorrow in fact. We've been on the phone with Linksys tech support several times. The first line of support is dangerous. The senior techs are more knowledgeable but after several hours we still have the problem.. The only setting that's made any difference is changing the MTU to 1400 (at their direction) and it has reduced the dropped connections but not eliminated them. Again, the BEF series has been substantially more reliable. I have remote users screaming at me because their tunnels are being dropped while working. I'm running 1.3.7.10 at home and 1.3.7.9 at the office which will be upgraded tomorrow.

    Also, this post is about Netbios traffic direction. I should have prefaced the post with notice that I am aware of how many people don't use it and how it's soooooooo noisy or slows the connection. I have experience with it and it does NOT slow the connection down any significant amount, not at least in our environment. However that's moot with a tunnel between a BEF series and the RV series as NetBios doesn't work anyway. I happen to have an RV042 in my home so the NetBios does work between two RV042's and that's what generated my question. The tunnels between them are still unreliable. The log files are useless where the BEF logs at least gave you an idea what failed..
     
  6. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    I can't testify to the rv042...I've never touched those...1/2 the CPU power of the 082 and 016, and up til recently...last in line to get firmware upgrades. I'm near 60x of those 082/016 models...out in the field...love 'em.

    Netbios does impact, it's not a question of "this environment..yet not that environment". It's "all environments". Moot point for me...any business clients I have will have a server..thus active directory..thus DNS..thus netbios is not needed. You simply point clients to the DC for their DNS and there's your name resolution.

    What make/model modems are in front of them? Mixing any broadband types?
     
  7. Bryanba

    Bryanba LI Guru Member

    The Netbios impact is miminal at most.. Usability seems fine..

    We're running Win2003 Server. We're not running AD and have no immediate plans to do so (Thank God) .. Thus no DNS.

    The Office network is a T1 and a Cisco router in place that handles Data and Voice. Not sure about the model. The WAN IP is fixed.

    My home ISP is Roadrunner, Linksys brand cablemodem, dymamic IP. All of this worked fine with the BEF series..

    I just got off the phone again with Linksys support and they REALLY don't have much of a clue. They're not even familiar with their own products as they can't recall which routers have which features.. Her suggestion was to try using a static IP..which I promptly informed her that this would guaranteed the tunnel would be dropped whenever my IP changes, thus not addressing the problem. Next was to "reset" the Office router. She did offer to replace the router if resetting it doesn't help..

    This is typically what happens.. Before I go to bed I check the tunnels from both ends. They're connected. I get up in the morning and try to connect to one of the machines on the office lan.. It fails. I check my VPN status and it says I'm connected. I check the VPN status on the Office router and it says "Waiting for connection" .. It will remain in this state indefinately until I make some change to the tunnel ( any setting change will do).. OR just disconnect from my end and reconnect. It reconnects just fine and will remain connected for anywhere from an hour to a couple days.. Then the same thing..

    Tech support doesn't even want to see the log files. I supposed they're aware that they're useless..

    Here is a typical segment of the log (from my home RV042) when I discover the problem.. As if this helps.. There is an entry about "IPSEC SA not found (maybe expired)" that keeps cropping up..

    Oct 25 09:16:26 2006 VPN Log [Tunnel Negotiation Info] Responder Cookies = 59f6 c636 b463 51ba
    Oct 25 09:16:26 2006 VPN Log [Tunnel Negotiation Info] Initiator Cookies = 897c 125c 9712 e57e
    Oct 25 09:16:26 2006 VPN Log [Tunnel Negotiation Info] Aggressive Mode Phase 1 SA Established
    Oct 25 09:16:26 2006 VPN Log [Tunnel Negotiation Info] >>> Initiator send Aggressive Mode 3rd packet
    Oct 25 09:16:26 2006 VPN Log Aggressive mode peer ID is ID_IPV4_ADDR: 'Adddress editied for posting'
    Oct 25 09:16:26 2006 VPN Log [Tunnel Negotiation Info] <<< Initiator Received Aggressive Mode 2nd packet
    Oct 25 09:16:26 2006 VPN Log Received Vendor ID payload Type = [Dead Peer Detection]
    Oct 25 09:16:26 2006 VPN Log STATE_AGGR_I1: initiate
    Oct 25 09:16:26 2006 VPN Log initiating Aggressive Mode #182 to replace #147, connection "ips0"
    Oct 25 09:16:26 2006 VPN Log [Tunnel Negotiation Info] >>> Initiator Send Aggressive Mode 1st packet
    Oct 25 09:16:23 2006 VPN Log ignoring Delete SA payload: IPSEC SA not found (maybe expired)
    Oct 25 09:16:23 2006 VPN Log Dead Peer Detection Start, DPD delay timer=10 sec timeout=10 sec
    Oct 25 09:16:23 2006 VPN Log [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
    Oct 25 09:16:23 2006 VPN Log [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
    Oct 25 09:16:23 2006 VPN Log [Tunnel Negotiation Info] Outbound SPI value = 92f089ed
    Oct 25 09:16:23 2006 VPN Log [Tunnel Negotiation Info] Inbound SPI value = ae2d2a07
    Oct 25 09:16:23 2006 VPN Log [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
    Oct 25 09:16:22 2006 VPN Log [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
    Oct 25 09:16:22 2006 VPN Log initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE to replace #148
    Oct 25 09:09:07 2006 VPN Log Dead Peer Detection Start, DPD delay timer=10 sec timeout=10 sec
    Oct 25 09:09:07 2006 VPN Log [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
    Oct 25 09:09:07 2006 VPN Log [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
    Oct 25 09:09:06 2006 VPN Log [Tunnel Negotiation Info] Outbound SPI value = 6610196f
    Oct 25 09:09:06 2006 VPN Log [Tunnel Negotiation Info] Inbound SPI value = ae2d2a06
    Oct 25 09:09:06 2006 VPN Log [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
    Oct 25 09:09:06 2006 VPN Log [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
    Oct 25 09:09:06 2006 VPN Log initiating Quick Mode PSK+TUNNEL+PFS+AGGRESSIVE
     

Share This Page