[USG Flex 100] No NetBIOS over SSL VPN

Sébastien
Sébastien Posts: 41  Freshman Member
First Anniversary 10 Comments Friend Collector
edited April 2021 in Security
Hi everyone,

I just set up an SSL VPN on a USG Flex 100 requesting NetBIOS broadcast over this connection but it doesn't work. I would like to access an SMB share on the network, it works on the local network using the computer name but not over the SSL VPN remote connection. Using the IP address in the UNC works correctly on the SSL VPN connection by the way.




Any idea of what could be wrong ?

Regards,

Sébastien

Accepted Solution

All Replies

  • Sébastien
    Sébastien Posts: 41  Freshman Member
    First Anniversary 10 Comments Friend Collector
    When trying to troubleshoot this issue I found something interesting related to the configuration I made on this USG Flex 100.

    Wan IP address is part of the 192.168.1.0/24 subnet, fixed IP 192.168.1.200 (provider box).

    As Wan IP address is part of the same subnet as lan1 predefined in the router, I switched all the ports to lan2 (P3 to P6). These ports are now part of the lan2 subnet 192.168.2.0/24. I also disabled lan1 in Interface > Ethernet > Configuration

    VPN IP pool is 192.168.2.250 - 254 so in the correct subnet.

    What I noticed in the logs is that, when I try to access the share using NetBIOS over VPN, the broadcast is made on the 1.0/24 subnet (port 138) which is not the right one !

    Here is the log line :

    9
    2020-09-21 10:49:30
    notice
    Security Policy Control
    Match default rule, DROP [count=2]
    192.168.1.1:138
    192.168.1.255:138
    ACCESS BLOCK

    I just wonder why it "searches" for the NetBIOS name on lan1 despite it knows it is on lan2.

    What do you think of that ?

    Thanks,

    Sébastien
  • Sébastien
    Sébastien Posts: 41  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Hi Emily,

    Thanks a lot for your answer.

    You're right, I get an answer when trying to reach the share :



    The big question now is why it works with the IP address and not with the computer name as it is resolved correctly. Maybe a Windows issue.

    Thanks again,

    Sébastien

    PS. : I configured this USG to have a similar topology to yours, but I had to add a routing policy to be able to ping the host inside the LAN2.

Security Highlight