Samba outside local subnet?

1

1

I just transitioned my home server from and older desktop with two LAN ports (Server B) to a new low-power one (Server C) with only a single LAN. I get three IP addresses from my ISP and me and my room mate shared them like this:

External Network:  68.232.0.0/16
Internal Network:  10.0.0.0/24

Coaxial---[Modem]---[10/100 Switch]
                    |  |   \------Server  B eth0              (External IP #1)
                    |  \----------Desktop A eth0              (External IP #2)
                    \-------------[E3000 Router]              (External IP #3)
                                  | | \--------Server  B eth1 (Internal IP)
                                  | \----------Desktop B eth0 (Internal IP)
                                  \------------Other Stuff    (Internal IPs)

Server B eth0 gets replaced with Server C eth0.

Equipment:
-His:
--Router A - Cisco E300
--Desktop A - Not important
--Server A - Not important
-Mine:
--Desktop B - 1 Ethernet, plenty of PCI-E, high power consumption
--Server B - 2 Ethernet, moderate power consumption, replaced with Server C
--Server C - 1 Ethernet, No PCI-E, low power consumption
--Switch - Layer 2

In my old setup (above) I routed all outbound traffic from my server (B) out of the external interface (eth0). However, incoming connections from the internal interface (eth1) would also exit that interface. By this method I could have a Samba share with all my media on my server (B), but keep torrent traffic off the broadcast domain of the other equipment.

In my new setup, the lower-power server (C) only has one LAN port (eth0) and no internal expansion (USB 2/3 is available, but no PCI[-E]). Is there a way I can continue to have my Samba share, but without the server's internal interface? Is there a cheap and reliable way to add another LAN interface?

Edit: Cisco Router is a consumer model, and is not flashed with DD-WRT or likewise because it is my room mates. I have an older WRT54G with DD-WRT at my disposal if needed. (it is a bit flaky) The switch is a Layer 2 switch with no administrative interface

Edit: The server needs to be external to the E3000 router as my room mate has a habit of deleting the port-forwarding settings on the E3000.

Huckle

Posted 2012-02-03T03:39:18.990

Reputation: 376

Does the server OS support VLAN tagging? If the switch is unmanaged then it won't support trunking, but you could perhaps get a cheap managed switch. – Paul – 2012-02-03T03:53:36.753

The server OS is debian-based linux so that is an option, my major problem (that I forgot to mention, but was kind of implied by consumer model) is that the router is NAT'ing. This adds complexity to any Samba setup. – Huckle – 2012-02-03T04:03:54.410

The internal router is NATting, but surely that is a routing concern? DNS should be enough to ensure everything can see each other from a Windows domain perspective. With a switch that supports vlan trunking you can duplicate your original setup with a single LAN Port + vlans http://wiki.debian.org/NetworkConfiguration#Howto_use_vlan_.28dot1q.2C_802.1q.2C_trunk.29_.28Etch.2C_Lenny.29

– Paul – 2012-02-03T04:31:33.837

Maybe I'm not understanding what you're suggesting. When my windows desktop sends out a broadcast request for shares (on 10.0.0.0/24) the packets will get as far as the NAT'ing router. At this point they've hit the end of the broadcast domain and will be dropped before entering the 68.232.0.0/16 network. – Huckle – 2012-02-03T05:00:59.030

Hi, can you please detail these points: How many ethernet ports does your modem have? What OS is running on your server C? On which machine do your run Bittorent? Your desktop or your server? – Olivier S – 2012-02-12T12:37:13.013

Answers

1

Add the server name to your %WINDIR%\system32\drivers\etc\lmhosts file and point the name to the public IP address.

psusi

Posted 2012-02-03T03:39:18.990

Reputation: 7 195

Interesting, I was aware of a hosts file but this is new. I added an entry but will have to get back to you on whether it works. – Huckle – 2012-02-07T02:57:39.383

@Huckle, lmhosts is for resolving lan manager names ( the circa 1995 protocol underlying samba ) to IP addresses. Come to think of it, adding the name to hosts ( which is for all IP name resolution ) should work as well, as does setting up a WINS server, which is Microsoft's lan manager equivalent to DNS. – psusi – 2012-02-07T04:29:04.650

I was leaning more in this direction, but after further thought I realize that this would be something of a large security issue. Having a windows share open to the public internet, even on a *nix system, should probably be avoided. – Huckle – 2012-02-11T19:36:30.783

@Huckle, that's what passwords are for. You might want to use something like fail2ban though to block anyone trying to brute force it. Also it isn't accessible from the Internet unless you configure the router to forward the SMB port. – psusi – 2012-02-11T22:42:34.973

@Huckle, I forgot you wanted the server to be connected to the switch. In that case, you can configure samba to only accept connections from the public IP address of the router, then only your stuff behind the router can access it. – psusi – 2012-02-11T22:47:48.077

I believe I have smbd.conf setup correctly, but I'm running into an issue where Windows sees the server, but the credentials aren't being accepted. I tried to net view \\server but I get an Access is Denied (5) error. Also, I had to use hosts as it didn't work when using lmhosts. – Huckle – 2012-02-16T18:31:20.340

Ok, nevermind. I had to go and set the samba password manually before it would accept it (was using regular login cred.). Still get Access Denied on net view in windows though, but its working so I don't care much – Huckle – 2012-02-16T18:43:01.477

0

It is unlikely that just any a consumer model router can do the job. For a better opinion we would require to know its exact model.

DD-WRT can do this using One-to-one NAT. This requires using firewall rules to NAT these external IPs to your internal IPs, which will also involve making static these internal addresses.

As all computers are now on the same network, you could use Quality of Service (QoS) to limit torrent traffic.

Some helpful user-cases can be found in the thread multiple external IP addresses.

harrymc

Posted 2012-02-03T03:39:18.990

Reputation: 306 093

So you're saying that I'd move all units to be behind the router, they'd all get local addresses. The router would then listen for multiple addresses on its WAN interface and depending on the IP, will port forward to a different local IP? This is a possible solution, but it would require reflashing his router. I'll keep this in mind for now and see if anyone can offer any experiences with USB-ethernet dongles. – Huckle – 2012-02-06T23:58:32.000

You could try it out on the old WRT54G with DD-WRT before flashing. – harrymc – 2012-02-07T07:48:52.153

Due to internal power struggle issues I'd not bother everyone with, I'd like to maintain at least one unit outside the NAT-wall as a stable point of contact. This idea has a lot of merit, but I don't think it will work for me. – Huckle – 2012-02-08T04:36:26.163

If you would like to partition the network, you could use the two routers: Flash the new one with DD-WRT and parameter as above, and configure the old DD-WRT router to create an internal segment of the network to contain torrent traffic (or use the switch which is however not parametrable). But I am sure that you can achieve an equivalent architecture by correctly setting up NAT and QoS using one router with DD-WRT. QoS will be far more effective than any artificial division between virtual networks. – harrymc – 2012-02-08T10:50:06.087

The problem is more that I can't rely on my room mate to keep ports open for me. He is notorious for changing router settings I rely on despite me asking him not to (it is his router, but there should be some room mate trust, no?). I need to keep that server on the outside of the NAT wall so I can ssh to it and also run the torrents. I would use my router as the external except that it is too underpowered (even with DD-WRT) to handle my torrenting (possibly because the hardware is starting to go, haven't looked into it much) – Huckle – 2012-02-09T19:27:27.897

One "cheap and reliable way to add another LAN interface" would be to add another network card to the server, if possible. To understand better your current network setup, it would help to have a schema for the current unacceptable situation with "his router" clearly marked. The schema is unclear : too many "Server LAN"s. – harrymc – 2012-02-09T19:42:23.957

Updated. Added letters to all the equipment and updated diagram. E3000 router is his, the switch is mine. – Huckle – 2012-02-10T03:26:34.127

1

As Server C has USB, you could maybe use a USB Ethernet Adapter : see on amazon.

– harrymc – 2012-02-10T06:57:40.510

Will look into this, [this] site I just founds seems to indicate reliable linux compatibility. Will have to look into form factors and the possibility of case mounting it. -- Do you have any experience with these devices? [http://free-electrons.com/blog/usbeth/] – Huckle – 2012-02-10T16:40:24.587

Sorry, no experience with this kind of hardware. – harrymc – 2012-02-10T19:57:42.747

0

One thing I didn't consider and no one suggested was running a VPN server. I'm looking into it and will update this answer with information as I go.

Huckle

Posted 2012-02-03T03:39:18.990

Reputation: 376

Asked: 2012-02-03T03:39:18.990

Viewed: 2 113 times

Active: 2012-02-16T18:32:23.520