SSL VPN NetBIOS issues

Sébastien
Sébastien Posts: 41  Freshman Member
First Comment Friend Collector Fourth Anniversary
edited April 2021 in Security
Hi everyone,

I know I'm coming back to a common issue but I can't find any solution to my problem.

All I want to is being able to use an SMB network share over an SSL VPN (USG Flex 100). I can reach it by using the IP address but not the machine name.

As advised on this forum I used Wireshark to see if the name resolution is correct and yes it is : the machine I try to reach gives its IP back correctly.

In my test, the machine name is "secretariat" and its IP address is "192.168.2.34".



So \\192.168.2.34 works but not \\secretariat. Error code is 0x80004005 (unspecified error).

Any idea of what goes wrong ?

Thanks a lot

Sébastien

All Replies

  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Answer First Comment Third Anniversary
    I think you can reference this similar thread
    https://businessforum.zyxel.com/discussion/4816/resolving-lan-hostnames-when-connected-in-host-to-host-vpn
    Enable NetBIOS broadcast over SSL VPN Tunnel, so the scenario could work.
  • Sébastien
    Sébastien Posts: 41  Freshman Member
    First Comment Friend Collector Fourth Anniversary
    Hi Jeremylin,

    Thank you for your answer.

    This thread doesn't answer my question but yes it is the same exact problem but in my case it's about SSL VPN not IPSec.

    NetBIOS broadcast is enabled and the destination machine is well resolved (see the packets captured by wireshark).

    On premise I can reach the machine by its name (\\secretariat) but not over the VPN despite I receive a packet with the right IP address of destination. And \\to-the-ip works !

    Any idea ?

    Sébastien
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    @sebastian
    Firmware v4.39
    Topology:

    PC1(192.168.10.36)----USG----SSL VPN----PC2(10.214.48.65)

    On SSL VPN page, select Zywall as DNS server, and check NetBIOS broadcast over SSL VPN Tunnel.


    Go to DNS to create a PTR-Record:PC hostname with IP address.

    After the tunnel is built up, enter \\PC1_hostname on PC2.

  • Sébastien
    Sébastien Posts: 41  Freshman Member
    First Comment Friend Collector Fourth Anniversary
    @Zyxel_Charlie,

    I agree with you but this is just a workaround to this issue. I don't want to use fixed IPs to avoid conflicts and your solution impose me to do that. There are a lot of machines sharing the content over the LAN which should be reached by their respective name without the use of a DNS just as it works inside the LAN. Why doesn't it work with a USG well configured ? See my packet capture, I receive the right IP address (NetBIOS protocol) but it doesn't work.

    I just configured an OpenVPN connection on a customer machine and it works just as if he was on the LAN. Open source software works but not Zyxel hardware this is sad because it should be better.

    Could it be a SecuExtender bug ? SMBv3 restrictions (computers are Windows 10 clients) ?

    Regards,

    Sébastien
  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Answer First Comment Third Anniversary
    I think you need to build Win Server, since the netbios broadcast traffic will not pass through a vpn, so you would need to switch to NetBIOS over TCP.
    The topic has been discussed numerously from internet, you can check this article.
    https://community.cisco.com/t5/vpn/netbios-over-vpn/td-p/1192539

  • Sébastien
    Sébastien Posts: 41  Freshman Member
    First Comment Friend Collector Fourth Anniversary
    since the netbios broadcast traffic will not pass through a vpn

    Why is there an option which is called "NetBIOS broadcast over SSL VPN tunnel" then ?

    The wireshark packet capture (see my first post) shows that I can get the destination IP so the broadcast works, am I wrong on that point ? I would understand if I got not response or an error but yes the name is well resolved.

    I've read the article talking about this, and I can confirm that NetBIOS over TCP is active.

    Regards,

    Sébastien
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    edited November 2020
    @sebastian
    FW: v4.60
    PC1(192.168.1.34)----USG----SSL VPN----PC2(10.214.48.65)

    On SSL VPN page, check NetBIOS broadcast over SSL VPN Tunnel.
    Configure SUBNET on assign IP pool.

    After the tunnel is built up, enter \\PC1_hostname on PC2, and it's working.

    Packet capture on Lan interface

    You would notice that first, you need to configure Subnet on Assign IP Pool. Second, type
    "net use * /del /y" on cmd to clean the patch cache, and skip the special character of hostname.

    If the scenario is still failed, you may build Win Server which Jeremylin mentioned.



  • Sébastien
    Sébastien Posts: 41  Freshman Member
    First Comment Friend Collector Fourth Anniversary
    Hi Zyxel_Charlie,

    Sorry for the delay, time is going to fast ! And thank you for trying to resolve this case.

    My configuration seems correct, please have a look.



    NetBIOS broadcast works because I can capture the packets with Wireshark as you can see in the screen capture in my first post. And I get something very similar to you when capturing the name query and name query response.

    I will try setting up an L2TP/IPSec connection maybe will it work.

    Thanks

    Sebastien
  • stefanocps
    stefanocps Posts: 23  Freshman Member
    Friend Collector
    hello i have similar issue
    When connectin through VPN SSL, i can reach pc's share like \\server but with any machinei try to connect via RDP the fqdn name dont work, i get impossibl to connect error. WHile using rdp with IP works well
  • lalaland
    lalaland Posts: 91  Ally Member
    First Answer First Comment Friend Collector Sixth Anniversary
    When you connect RDP with FQDN, it will go for DNS resolve instead of NBNS query.
    You may check if the client can resolve FQDN from given DNS server.

Security Highlight