VPN: Can connect but not browse or do anything

[Marc]

Hello,

I've got a VPN set up. Machine in South Carolina is the VPN host, and
I am connecting from Florida. Both are XP Professional SP2 boxes.

The VPN is working fine, to my knowledge -- I had to put the host
computer in the router's de-militarized zone since it couldn't do GRE
forwarding, but I can now connect successfully.

Beyond connecting, however, I can't do much. I can successfully ping
the host's IP (192.168.2.200). When I remote desktop into the host it
DOES show that my client is connected, and I can ping the client
(192.168.2.207)

All computers belong to the same workgroup. Computer Browser service
is running on both machines. Windows firewall is enabled with
exceptions; both computers have File & Print Sharing enabled.

However, when I browse the Network Neighborhood I only see my
computer. I cannot detect printer or file shares that the host is
successfully offering to other computers in its LAN in South
Carolina. When I remote desktop into the host, it does not show my
client in the Network Neighborhood either, although it DOES show the
other local computers.

The router on my client side is forwarding all TCP ports to my box,
but I cannot configure UDP forwarding (could this be an issue?). I
simply cannot seem to get the two computers to talk to each other,
even though they are successfully connected via VPN.

Any clues?

 

[Chuck]

Hello,

I've got a VPN set up. Machine in South Carolina is the VPN host, and
I am connecting from Florida. Both are XP Professional SP2 boxes.

The VPN is working fine, to my knowledge -- I had to put the host
computer in the router's de-militarized zone since it couldn't do GRE
forwarding, but I can now connect successfully.

Beyond connecting, however, I can't do much. I can successfully ping
the host's IP (192.168.2.200). When I remote desktop into the host it
DOES show that my client is connected, and I can ping the client
(192.168.2.207)

All computers belong to the same workgroup. Computer Browser service
is running on both machines. Windows firewall is enabled with
exceptions; both computers have File & Print Sharing enabled.

However, when I browse the Network Neighborhood I only see my
computer. I cannot detect printer or file shares that the host is
successfully offering to other computers in its LAN in South
Carolina. When I remote desktop into the host, it does not show my
client in the Network Neighborhood either, although it DOES show the
other local computers.

The router on my client side is forwarding all TCP ports to my box,
but I cannot configure UDP forwarding (could this be an issue?). I
simply cannot seem to get the two computers to talk to each other,
even though they are successfully connected via VPN.

Any clues?

Marc,

Do you have a domain, or a workgroup? With a domain on a segmented LAN (a VPN
link segments your LAN), the domain controller will act as a domain master
browser. With a workgroup, you have 2 master browser on 2 segments, and no way
for them to see each other.
<http://nitecruzr.blogspot.com/2005/08/browsing-across-subnets.html>
http://nitecruzr.blogspot.com/2005/08/browsing-across-subnets.html

If you have a workgroup, you'll have to setup fixed links, for each cross-VPN
share. And if you can't setup a DNS or WINS server, you'll have to use IP
addresses, as name resolution broadcasts are another casualty of segmented LANs.

 

[Sooner Al [MVP]]

Marc,

Do you have a domain, or a workgroup? With a domain on a segmented LAN (a
VPN
link segments your LAN), the domain controller will act as a domain master
browser. With a workgroup, you have 2 master browser on 2 segments, and
no way
for them to see each other.
<http://nitecruzr.blogspot.com/2005/08/browsing-across-subnets.html>
http://nitecruzr.blogspot.com/2005/08/browsing-across-subnets.html

If you have a workgroup, you'll have to setup fixed links, for each
cross-VPN
share. And if you can't setup a DNS or WINS server, you'll have to use IP
addresses, as name resolution broadcasts are another casualty of segmented
LANs.

In addition to Chuck's comments a "lmhosts" file on your VPN client is also
an alternative. Here is an example VPN client lmhosts file based on this
example remote network.

http://theillustratednetwork.mvps.org/Vista/PPTP/Examplelmhosts.txt
http://theillustratednetwork.mvps.org/Vista/PPTP/ExampleVistaVPNNetwork.pdf

MS guidance...

http://support.microsoft.com/kb/314884/en-us

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...

 

[Marc]

Thanks for your informative response, Chuck....

Do you have a domain, or a workgroup? With a domain on a segmented LAN (a VPN
link segments your LAN), the domain controller will act as a domain master
browser. With a workgroup, you have 2 master browser on 2 segments, and no way
for them to see each other.

I am using workgroups. Unfortunately I'm totally clueless about
domains. Is there a place I could learn about them, and compare the
features of using domains instead of workgroups? In the end result,
we've got several distant LANs that need to be connected -- one in
Barcelona, sharing its printers/files, one in South Carolina, sharing
its printer/files... It seems like things could get very ugly if I
don't configure it correctly.

If you have a workgroup, you'll have to setup fixed links, for each cross-VPN
share. And if you can't setup a DNS or WINS server, you'll have to use IP
addresses, as name resolution broadcasts are another casualty of segmented LANs.

I have to admit ignorance on fixed links -- what are they, or could
you point me to some documentation somewhere? I googled it but didn't
find anything at all when I had "fixed links" in quotes. Is this like
the lmhosts file that is alluded to in Al Jarvi's post? I think I
wouldn't want to use a solution like that because the VPN is not
always connected, so with dynamically assigned client IP's I don't
think I can use a hardcoded lmhosts file.

The link you gave explains that "Routers drop broadcasted datagrams",
or as you said, "resolution broadcasts are a casualty of segmented
LANs". But if there was a way to forward UDP packets would this still
be an issue?

I might be interested in setting up a WINS server -- this is built in
to XP, yes? I'm totally a newbie (I am the web programmer/database
guy for my company, and exclusively know OSX/Linux, so while I am
generally familiar with abstract networking concepts I am very new to
Windows networking)

Thanks again,
Marc

 

[Chuck]

Thanks for your informative response, Chuck....


I am using workgroups. Unfortunately I'm totally clueless about
domains. Is there a place I could learn about them, and compare the
features of using domains instead of workgroups? In the end result,
we've got several distant LANs that need to be connected -- one in
Barcelona, sharing its printers/files, one in South Carolina, sharing
its printer/files... It seems like things could get very ugly if I
don't configure it correctly.


I have to admit ignorance on fixed links -- what are they, or could
you point me to some documentation somewhere? I googled it but didn't
find anything at all when I had "fixed links" in quotes. Is this like
the lmhosts file that is alluded to in Al Jarvi's post? I think I
wouldn't want to use a solution like that because the VPN is not
always connected, so with dynamically assigned client IP's I don't
think I can use a hardcoded lmhosts file.

The link you gave explains that "Routers drop broadcasted datagrams",
or as you said, "resolution broadcasts are a casualty of segmented
LANs". But if there was a way to forward UDP packets would this still
be an issue?

I might be interested in setting up a WINS server -- this is built in
to XP, yes? I'm totally a newbie (I am the web programmer/database
guy for my company, and exclusively know OSX/Linux, so while I am
generally familiar with abstract networking concepts I am very new to
Windows networking)

Thanks again,
Marc

Marc,

Networking computers is a lot of fun, and networking computers on separate
networks even more fun. The issue here with multiple segments is broadcast
SMBs, which both local name resolution and browsing uses. Broadcast SMBs are
sent to each computer in the subnet; by definition, broadcast SMBs don't pass
thru routers. They are broadcast only within the subnet, by default

If your VPN can forward broadcast SMBs then try that. Obviously, you have to
know where you are forwarding them; you don't want to forward them everywhere.
Certainly not to the Internet.

Let me give you my article about domains, which will give you an overview of the
issues.
<http://nitecruzr.blogspot.com/2005/08/setting-up-domain-or-workgroup-plan.html>
http://nitecruzr.blogspot.com/2005/08/setting-up-domain-or-workgroup-plan.html

Are you really sharing files between multiple geographical locations, with
servers at each location? Are you referencing those servers by IP address right
now? Give us a rough overview of your population please:
1) How many different locations?
2) How many "servers" in each location?
3) How many "clients" in each location?

If you setup a domain, I'd recommend a DNS server, as WINS is legacy technique.
<http://nitecruzr.blogspot.com/2005/05/windows-xp-on-nt-domain.html>
http://nitecruzr.blogspot.com/2005/05/windows-xp-on-nt-domain.html

By "fixed links" I meant use an IP address in a share reference, rather than a
computer name. That takes care of the name resolution issue. That's a popular
recommendation here, for name resolution issues.

Now you say that the VPN isn't always connected. If that's the case, you won't
be using the links anyway, if the links refer to a computer in another location.
You can use name references to local computers (in this geographical location),
and IP references to computers in remote geographical locations.

That's the simple solution. If you want to use a domain structure for multiple
locations, and the locations aren't always connected, I would recommend having a
domain controller in each location. So let's look at making this work with a
workgroup, by using IP address references rather than name references.

 

[Marc]

Thanks for your informative response, Chuck....

I am using workgroups. Unfortunately I'm totally clueless about
domains. Is there a place I could learn about them, and compare the
features of using domains instead of workgroups? In the end result,
we've got several distant LANs that need to be connected -- one in
Barcelona, sharing its printers/files, one in South Carolina, sharing
its printer/files... It seems like things could get very ugly if I
don't configure it correctly.

I have to admit ignorance on fixed links -- what are they, or could
you point me to some documentation somewhere? I googled it but didn't
find anything at all when I had "fixed links" in quotes. Is this like
the lmhosts file that is alluded to in Al Jarvi's post? I think I
wouldn't want to use a solution like that because the VPN is not
always connected, so with dynamically assigned client IP's I don't
think I can use a hardcoded lmhosts file.

The link you gave explains that "Routers drop broadcasted datagrams",
or as you said, "resolution broadcasts are a casualty of segmented
LANs". But if there was a way to forward UDP packets would this still
be an issue?

I might be interested in setting up a WINS server -- this is built in
to XP, yes? I'm totally a newbie (I am the web programmer/database
guy for my company, and exclusively know OSX/Linux, so while I am
generally familiar with abstract networking concepts I am very new to
Windows networking)

Thanks again,
Marc

Marc,

Networking computers is a lot of fun, and networking computers on separate
networks even more fun. The issue here with multiple segments is broadcast
SMBs, which both local name resolution and browsing uses. Broadcast SMBs are
sent to each computer in the subnet; by definition, broadcast SMBs don't pass
thru routers. They are broadcast only within the subnet, by default

If your VPN can forward broadcast SMBs then try that. Obviously, you have to
know where you are forwarding them; you don't want to forward them everywhere.
Certainly not to the Internet.

Let me give you my article about domains, which will give you an overview of the
issues.
<http://nitecruzr.blogspot.com/2005/08/setting-up-domain-or-workgroup-...>http://nitecruzr.blogspot.com/2005/08/setting-up-domain-or-workgroup-...

Are you really sharing files between multiple geographical locations, with
servers at each location? Are you referencing those servers by IP address right
now? Give us a rough overview of your population please:
1) How many different locations?
2) How many "servers" in each location?
3) How many "clients" in each location?

If you setup a domain, I'd recommend a DNS server, as WINS is legacy technique.
<http://nitecruzr.blogspot.com/2005/05/windows-xp-on-nt-domain.html>http://nitecruzr.blogspot.com/2005/05/windows-xp-on-nt-domain.html

By "fixed links" I meant use an IP address in a share reference, rather than a
computer name. That takes care of the name resolution issue. That's a popular
recommendation here, for name resolution issues.

Now you say that the VPN isn't always connected. If that's the case, you won't
be using the links anyway, if the links refer to a computer in another location.
You can use name references to local computers (in this geographical location),
and IP references to computers in remote geographical locations.

That's the simple solution. If you want to use a domain structure for multiple
locations, and the locations aren't always connected, I would recommend having a
domain controller in each location. So let's look at making this work with a
workgroup, by using IP address references rather than name references.

--
Cheers,
Chuck, MS-MVP [Windows - Networking]http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

Our setup is as follows:

We've got a (home-) office in South Carolina. There is a desktop
running XP Pro, which we are using as a server, plus a laptop or two,
all connected in a LAN behind a router. The server is currently set
up for incoming remote access and VPN connections. There are three
printers physically connected to the server and shared with other
computers in the LAN. We need to share these 3 printers with the
outside world (specifically, Barcelona)

Also got a (home-) office in Barcelona. There are 3 printers there,
hooked up to a laptop (though for purposes of permanent print sharing
we are looking into getting a cheap desktop for a print server). We
also need to share those 3 printers with the world, particularly SC
but really anywhere.

I am working from all over the world -- USA, China, and Spain, but
really am just the tech guy so I don't matter once things are set
up.

Ideally, a worker in Barcelona would have 6 printers available at all
times (3 in BCN, 3 in SC). Likewise, a worker in SC would always have
those same 6 printers available.

When someone is working remotely (cafe in Dusseldorf, hotel room in
Chicago, etc.) they need to be able to print to all 6 printers....
that is, once we get a permanent print server solution in BCN. It
appears that a cheap windows xp pro box would be the best way to go
for a server in BCN, since it can handle VPN + print sharing and can
share any windows-compatible printer.

After reading your article on domains, I think it is useful to point
out that everyone trusts each other fully with all resources, so
privacy/access control is not an issue (except for keeping the rest of
the world out!)

Can we make this work using workgroups? Printer sharing is really the
ONLY major concern -- file sharing is nice but unnecessary. I have
heard of some 3rd party solutions like Hamachi but am unsure if that
is the way to go.

Thanks,
Marc

 

[Chuck]

Our setup is as follows:

We've got a (home-) office in South Carolina. There is a desktop
running XP Pro, which we are using as a server, plus a laptop or two,
all connected in a LAN behind a router. The server is currently set
up for incoming remote access and VPN connections. There are three
printers physically connected to the server and shared with other
computers in the LAN. We need to share these 3 printers with the
outside world (specifically, Barcelona)

Also got a (home-) office in Barcelona. There are 3 printers there,
hooked up to a laptop (though for purposes of permanent print sharing
we are looking into getting a cheap desktop for a print server). We
also need to share those 3 printers with the world, particularly SC
but really anywhere.

I am working from all over the world -- USA, China, and Spain, but
really am just the tech guy so I don't matter once things are set
up.

Ideally, a worker in Barcelona would have 6 printers available at all
times (3 in BCN, 3 in SC). Likewise, a worker in SC would always have
those same 6 printers available.

When someone is working remotely (cafe in Dusseldorf, hotel room in
Chicago, etc.) they need to be able to print to all 6 printers....
that is, once we get a permanent print server solution in BCN. It
appears that a cheap windows xp pro box would be the best way to go
for a server in BCN, since it can handle VPN + print sharing and can
share any windows-compatible printer.

After reading your article on domains, I think it is useful to point
out that everyone trusts each other fully with all resources, so
privacy/access control is not an issue (except for keeping the rest of
the world out!)

Can we make this work using workgroups? Printer sharing is really the
ONLY major concern -- file sharing is nice but unnecessary. I have
heard of some 3rd party solutions like Hamachi but am unsure if that
is the way to go.

Thanks,
Marc

OK, Marc,

Based on your description of your network, and of your business strategy and
needs, I think that a workgroup is fine for your needs. All that you need is to
reference the printer server by IP address, not by name. You won't be getting
browser advertisements, nor name resolution, thru the VPN. So you won't be
seeing the printer server in Network Neighbourhood, nor will you be able to
reference it by name, when you're at the other end of the VPN.

That's assuming that your VPN doesn't have a setting to pass NetBT broadcasts.
And since you don't have a domain, you probably don't have a dedicated DHCP
server, just the NAT routers, so make sure that NetBT is explicitly Enabled on
all computers.
<http://nitecruzr.blogspot.com/2006/04/netbios-over-tcpip.html>
http://nitecruzr.blogspot.com/2006/04/netbios-over-tcpip.html

 

[Marc]

<SNIP>

Our setup is as follows:

We've got a (home-) office in South Carolina. There is a desktop
running XP Pro, which we are using as a server, plus a laptop or two,
all connected in a LAN behind a router. The server is currently set
up for incoming remote access and VPN connections. There are three
printers physically connected to the server and shared with other
computers in the LAN. We need to share these 3 printers with the
outside world (specifically, Barcelona)

Also got a (home-) office in Barcelona. There are 3 printers there,
hooked up to a laptop (though for purposes of permanent print sharing
we are looking into getting a cheap desktop for a print server). We
also need to share those 3 printers with the world, particularly SC
but really anywhere.

I am working from all over the world -- USA, China, and Spain, but
really am just the tech guy so I don't matter once things are set
up.

Ideally, a worker in Barcelona would have 6 printers available at all
times (3 in BCN, 3 in SC). Likewise, a worker in SC would always have
those same 6 printers available.

When someone is working remotely (cafe in Dusseldorf, hotel room in
Chicago, etc.) they need to be able to print to all 6 printers....
that is, once we get a permanent print server solution in BCN. It
appears that a cheap windows xp pro box would be the best way to go
for a server in BCN, since it can handle VPN + print sharing and can
share any windows-compatible printer.

After reading your article on domains, I think it is useful to point
out that everyone trusts each other fully with all resources, so
privacy/access control is not an issue (except for keeping the rest of
the world out!)

Can we make this work using workgroups? Printer sharing is really the
ONLY major concern -- file sharing is nice but unnecessary. I have
heard of some 3rd party solutions like Hamachi but am unsure if that
is the way to go.

Thanks,
Marc

OK, Marc,

Based on your description of your network, and of your business strategy and
needs, I think that a workgroup is fine for your needs. All that you need is to
reference the printer server by IP address, not by name. You won't be getting
browser advertisements, nor name resolution, thru the VPN. So you won't be
seeing the printer server in Network Neighbourhood, nor will you be able to
reference it by name, when you're at the other end of the VPN.

That's assuming that your VPN doesn't have a setting to pass NetBT broadcasts.
And since you don't have a domain, you probably don't have a dedicated DHCP
server, just the NAT routers, so make sure that NetBT is explicitly Enabled on
all computers.
<http://nitecruzr.blogspot.com/2006/04/netbios-over-tcpip.html>http://nitecruzr.blogspot.com/2006/04/netbios-over-tcpip.html

--
Cheers,
Chuck, MS-MVP [Windows - Networking]http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

Hey Chuck,
Thanks for the response. During the day I played around with Hamachi
and it solved my problems immediately. It also is nice in that I
don't have to worry about how things are set up once we have two
printer servers -- one in BCN, one in SC. I will certainly keep in
mind the potential solution of enabling NetBT (it's not explicitly
enabled right now) but as long as Hamachi is working so easily I
probably will stick with that.

(Has anybody had any negative experience with Hamachi that I should
watch out for?)

Best wishes,
Marc