SSL VPN NetBIOS issues

SébastienSébastien Member Posts: 19  Freshman Member
Hi everyone,

I know I'm coming back to a common issue but I can't find any solution to my problem.

All I want to is being able to use an SMB network share over an SSL VPN (USG Flex 100). I can reach it by using the IP address but not the machine name.

As advised on this forum I used Wireshark to see if the name resolution is correct and yes it is : the machine I try to reach gives its IP back correctly.

In my test, the machine name is "secretariat" and its IP address is "192.168.2.34".



So \\192.168.2.34 works but not \\secretariat. Error code is 0x80004005 (unspecified error).

Any idea of what goes wrong ?

Thanks a lot

Sébastien

All Replies

  • JeremylinJeremylin Member Posts: 129  Ally Member
    I think you can reference this similar thread
    https://businessforum.zyxel.com/discussion/4816/resolving-lan-hostnames-when-connected-in-host-to-host-vpn
    Enable NetBIOS broadcast over SSL VPN Tunnel, so the scenario could work.
  • SébastienSébastien Member Posts: 19  Freshman Member
    Hi Jeremylin,

    Thank you for your answer.

    This thread doesn't answer my question but yes it is the same exact problem but in my case it's about SSL VPN not IPSec.

    NetBIOS broadcast is enabled and the destination machine is well resolved (see the packets captured by wireshark).

    On premise I can reach the machine by its name (\\secretariat) but not over the VPN despite I receive a packet with the right IP address of destination. And \\to-the-ip works !

    Any idea ?

    Sébastien
  • Zyxel_CharlieZyxel_Charlie Zyxel Official Agent Posts: 975  mod
    @sebastian
    Firmware v4.39
    Topology:

    PC1(192.168.10.36)----USG----SSL VPN----PC2(10.214.48.65)

    On SSL VPN page, select Zywall as DNS server, and check NetBIOS broadcast over SSL VPN Tunnel.


    Go to DNS to create a PTR-Record:PC hostname with IP address.

    After the tunnel is built up, enter \\PC1_hostname on PC2.

  • SébastienSébastien Member Posts: 19  Freshman Member
    @Zyxel_Charlie,

    I agree with you but this is just a workaround to this issue. I don't want to use fixed IPs to avoid conflicts and your solution impose me to do that. There are a lot of machines sharing the content over the LAN which should be reached by their respective name without the use of a DNS just as it works inside the LAN. Why doesn't it work with a USG well configured ? See my packet capture, I receive the right IP address (NetBIOS protocol) but it doesn't work.

    I just configured an OpenVPN connection on a customer machine and it works just as if he was on the LAN. Open source software works but not Zyxel hardware this is sad because it should be better.

    Could it be a SecuExtender bug ? SMBv3 restrictions (computers are Windows 10 clients) ?

    Regards,

    Sébastien
  • JeremylinJeremylin Member Posts: 129  Ally Member
    I think you need to build Win Server, since the netbios broadcast traffic will not pass through a vpn, so you would need to switch to NetBIOS over TCP.
    The topic has been discussed numerously from internet, you can check this article.
    https://community.cisco.com/t5/vpn/netbios-over-vpn/td-p/1192539

  • SébastienSébastien Member Posts: 19  Freshman Member
    since the netbios broadcast traffic will not pass through a vpn

    Why is there an option which is called "NetBIOS broadcast over SSL VPN tunnel" then ?

    The wireshark packet capture (see my first post) shows that I can get the destination IP so the broadcast works, am I wrong on that point ? I would understand if I got not response or an error but yes the name is well resolved.

    I've read the article talking about this, and I can confirm that NetBIOS over TCP is active.

    Regards,

    Sébastien
  • Zyxel_CharlieZyxel_Charlie Zyxel Official Agent Posts: 975  mod
    edited November 12, 2020 5:56PM
    @sebastian
    FW: v4.60
    PC1(192.168.1.34)----USG----SSL VPN----PC2(10.214.48.65)

    On SSL VPN page, check NetBIOS broadcast over SSL VPN Tunnel.
    Configure SUBNET on assign IP pool.

    After the tunnel is built up, enter \\PC1_hostname on PC2, and it's working.

    Packet capture on Lan interface

    You would notice that first, you need to configure Subnet on Assign IP Pool. Second, type
    "net use * /del /y" on cmd to clean the patch cache, and skip the special character of hostname.

    If the scenario is still failed, you may build Win Server which Jeremylin mentioned.



Sign In to comment.