Resolving LAN hostnames when connected in Host to Host VPN

Options
Anoosh
Anoosh Posts: 6
First Comment
edited April 2021 in Security
HI,  I have a simple IPSec host to host VPN set up between two USG20W routers:
Headquarter Lan: 192.168.30.0/24
Remote office Lan: 192.168.7.0/24
I have enabled the "Enable NetBIOS broadcast over IPSec" in the VPN connections on both sides.  Both sides are simple network with about a dozen mixed Windows machines.  DNS address is served with Zywall at  192.168.30.1 and 192.168.7.1 respectively. 
I have setup policy routes on each side to route from the local to remote Lan with next hop as the VPN tunnel.
The  Connection is fine and I can ping IP address from either side. What I want to do is to see the remote machine names on the local machines.  For example "ping RemoteMachineName".  I have tried adding 192.168.30.1 on the "Domain Zone Forwarder" on the remote office router but that does not help either, the remote machine name is not resolved.
The only discussion I found is in: https://businessforum.zyxel.com/discussion/comment/3450#Comment_3450 
However that thread is regarding using L2P clients and using fully qualified domain names, etc and not host to host vpn link.   As I mentioned, I don't have a domain established on either side and machines are simply broadcasting their names for local resolution via respective local Zyxel as the DHCP server.
Any idea how achieve this?  Thank you in advance.
«1

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Anoosh,

    Firmware: 4.39

    Topology:

    PC1(192.168.1.34)----USG20W-VPN----VPN------USG60W-----PC2(192.168.10.33)

    Use the wizard to create site to site VPN and enable NetBIOS broadcast over IPSec on both sites.


    After the tunnel is built up, enter \\PC1_hostname on PC2.

    Capture packets on interface lan1 of USG60W.

    Check if PC1 responds the name query with its IP address 192.168.1.34.


  • Anoosh
    Anoosh Posts: 6
    First Comment
    edited August 2020
    Options
    Thank you for your response.
    Host to host is set up between HQ : 192.168.30.0/24 and Remote: 192.168.7.0/24
    HQ-Server3:  IP: 192.168.30.34
    Remote-Machine: IP: 192.168.7.14
    when from Remote-Machine I do "ping \\HQ-Server3", The only relevant packet I see captured is this:
       172 12.558154 192.168.7.14 192.168.30.255 NBNS 92 Name query NB \\HQ-Server3<00>
    There is no response.  Please note that the query is going to 192.168.30.255.  Is that correct for DHCP table on HQ router to be queried across the VPN?
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Anoosh,

    Topology:

    PC1(192.168.1.34)----USG20W-VPN----VPN------USG60W-----PC2(192.168.10.33)

     

    On both USG20W-VPN and USG60W, capture packets on interface lan1.

    On PC2, enter \\PC1_hostname

    Stop packet capture, download the file and open both captured files.

     

    USG60W


    USG20W-VPN

    Check if USG20W-VPN receives the name query packet from the remote site.

    If it does receive the name query packet, it means there is no problem with the function “NetBIOS broadcast over IPSec”.

    If USG20W-VPN receives the name query packet but PC1(192.168.1.34) doesn’t respond, the problem is on PC1.


  • Anoosh
    Anoosh Posts: 6
    First Comment
    edited August 2020
    Options
    So, I do get the name query packet on the headquarter (HQ) router (destination) but no response packed is issued from the HQ-Server3 192.168.30.34 (which you are calling PC1).  So, based on your diagnosis, the problem is with PC1.  What kind of issues should I be looking for?  PCs on the destination link are all part of a Workgoup and see each other fine on their subnet (192.168.30.0)
  • Anoosh
    Anoosh Posts: 6
    First Comment
    Options
    Here  is the NetBIOS setting for PC1:

  • lalaland
    lalaland Posts: 90  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    This issue seems related to windows behavior. Did you disable windows firewall on remote pc?
    Maybe you can try to access by UNC path.
    \\IP address\foldername
  • Anoosh
    Anoosh Posts: 6
    First Comment
    Options
    Firewalls are off.  I can access using the IP address but that is not scalable.  Was hoping to be able to use the host names.   Machines on the local subnet have no issue accessing each other with the host name.  The issue is only when I use the VPN tunnel.
  • ols_it
    ols_it Posts: 4
    First Comment
    Options
    Hi Anoosh,
    did you solve the issue?
    in company we have the same problem, which does not translate the hostname, but only solves the IP address.
    We did the checks with the packet capture on USG60W (HQ) and USG200 (Branch) and the answers are ok. But remote pc (prompt) receives the error "unable to find the host".

    Packet capture from USG200:


    Packet capture from USG60W:


    Ping to IP address (ok) and hostname (ko) submit from Branch:

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,367  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @ols_it  

    It looks NetBIOS has forwarded and resolved IP successfully without problem.

    But PC did not cache IP and PING to peer site continually.

    The reason maybe Windows security setting or other reasons.

     

    You may make sure both of PCs are joined into same domain.

    If it still doesn’t help, you may use WINS server for your network environment.

  • ols_it
    ols_it Posts: 4
    First Comment
    Options
    Thank you for your response.
    As you say, both of PCs are NOT joined into same domain.
    Maybe, this is the issue.
    Network HQ is 192.168.1.1/24, while the Branch is 192.168.20.1/24
    How should i use the same domain ?

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)