2

Is it possible to allow a VPN client to do NetBIOS broadcast name resolution through TMG?

In the TMG Queries I can see the rule that is blocking ClientIP->255.255.255.255

I've tried adding 255.255.255.255 to the Internal IP Range.

My VPN Client cannot resolve a NetBIOS name on my internal network. An a server on the internal network cannot resolve the NetBIOS name of the VPN client.

Thanks in advance.

Alex Duggleby
  • 67
  • 1
  • 6

3 Answers3

6

255.255.255.255 is the layer 2 broadcast address. NetBIOS is a layer 3 protocol. As such you should be seeing NetBIOS broadcasts to x.x.x.255, where x.x.x is your subnet address. Broadcast traffic to 255.255.255.255 is related to some layer 2 protocol, not NETBIOS.

Here's an example of a NetBIOS name query on my home network from my workstation (192.168.1.66) looking for my AppleTV:

4:28:03 PM 12/18/2011   192.168.1.66    192.168.1.255   NbtNs   NbtNs:Query Request for APPLETV  <0x00> Workstation Service

EDIT:

In response to ceving's comment, let me clarify, and if I'm wrong, someone please correct me.

A layer 2 broadcast (sent to FF-FF-FF-FF-FF-FF) is sent to 255.255.255.255 at layer 3 (which is a limited broadcast meant for all nodes on the same physical network). Your subnet broadcast address is always x.x.x.SubnetBroadcastAddress (which is a directed broadcast, which in the OP's case is 192.168.1.255, which is intended for all nodes on the x.x.x.x subnet). A broadcast sent to FF-FF-FF-FF-FF/255.255.255.255 is meant for every node on the same physical network and since NetBIOS works at layer 3, it will never send a NetBIOS broadcast to 255.255.255.255, only to the subnet broadcast address (192.168.1.255 in this case). Therefore, the broadcast traffic that the OP is seeing is not NetBIOS broadcast traffic but layer 2 broadcast traffic meant for every node on that physical network.

A limited broadcast (FF-FF-FF-FF-FF-FF/255.255.255.255) is meant for all nodes on the same physical network, whereas a directed broadcast (FF-FF-FF-FF-FF-FF/x.x.x.SubnetBroadcastAddress) is intended for specific nodes on that network (those that match the subnet address), to which there may be connected nodes in different subnets (multinets). Nobody ever said that all of the nodes on the same layer 2 network have to belong to the same layer 3 network, hence why the limited broadcast address (FF-FF-FF-FF-FF-FF/255.255.255.255) exists. In both cases the layer 2 destination is FF-FF-FF-FF-FF-FF, the difference is in which nodes accept the broadcast, based on the layer 3 address.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
3

A VPN network is actually a router. And a router does not forward unlimited broadcasts (255.255.255.255). Those broadcasts are only valid in a local sub net. In order to forward those broadcasts through a VPN you have to bridge the layer 2 (Ethernet) through the VPN.

ceving
  • 499
  • 4
  • 24
1

Do you have an Active Directory domain controller running on your network? You could have it perform name resolution for all clients using its WINS service.

Two things need to happen: the WINS service must be started on the DC, and the clients must be told to register with the server. The clients can be informed of the WINS server by manually configuring them, or by using DHCP.

Check out a quick Google here. I've only skimmed it, but the TechRepublic article seems to do a good job of explaining the basics.

HTH.

B Knight
  • 356
  • 2
  • 4
  • 1
    WINS does not have to be installed on a DC – Chris S Dec 21 '11 at 05:03
  • +1 WINS is a better idea than forwarding all the broadcasts across the VPN. – NorbyTheGeek Dec 21 '11 at 19:45
  • WINS has its own limitations. For example it quite complicate to perform NAT on WINS packets. – ceving Dec 21 '11 at 19:53
  • True enough, it is not required to put WINS on a DC. I would say it is the most convenient place to put it, along with DHCP and DNS. Also, given that the OP is using a remote access VPN system, and assuming that system supports non-unique "private" addressing across the VPN tunnel, there are probably no NAT issues. [comment edited to address NAT concerns] – B Knight Dec 23 '11 at 16:54