WINS and PPTP: name resolution over a PPTP VPN
(We'll get to the bottom of this yet.) Well, something similar occurred to
me last night, but my thinking is slightly different. First, I agree
that traffic to the PPTP server is not being tunneled. I do not,
however, believe the reason is because "you can't tunnel a tunnel."
First, you can tunnel a tunnel...there is no particular reason why you
couldn't. A high security application, where you did not want to trust one
single encryption system, might just want to put a L2TP inside a PPTP tunnel,
for example. Second, I think the reason is a routing decision. The
client has to make a decision about whether outbound traffic flows through the
tunnel or not: this decision is made based on an examination of the routing
table.
For example, suppose the address the client uses to get to the PPTP server is
4.17.x.y. This is the address we use to set up the VPN connection.
After setting up the VPN, the client gets an address on the VPN, as returned
by the PPTP server, say 192.168.1.x
Traffic routed to this subnet goes through the tunnel. Traffic not
destined for this subnet does not go through the tunnel. Consequently,
if the client makes a WINS name resolution request to 4.17.x.y (the PPTP
server), the request gets routed outside the tunnel (just a plain old packet
over the Internet). In this case, the WINS request will not get to the
WINS server if the ISP is filtering Windows networking traffic (UDP ports 137,
138, TCP port 139). Likewise, if the client makes a windows networking
request to the PPTP server, using the 4.17.x.y address, the traffic will not
flow through the tunnel. For example, "net use t:
\\4.17.x.y\someshare"
will map a drive on the client to a share on the server, but the traffic over
that mapped drive will not go through the tunnel and will not be encrypted.
However, if the client makes a WINS name resolution request to 192.168.1.y,
where 192.168.1.y is the address on the remote network of a WINS server, then
the WINS request will go through the tunnel and it won't matter if the ISP
filtering Windows networking traffic or not...in either case the WINS request
will go through. Likewise, if the PPTP server itself is multi-homed,
with 192.168.1.z being an alternative address for the PPTP server itself, then
"net use t:
\\192.168.1.z\someshare"
will create a connection that flows through the tunnel and traffic to the PPTP
server over this connection will indeed, be subject to the security of the VPN.
This is why the referenced Microsoft Knowledge Base article suggests that one
method to get around an ISP filtering ports 137, 138, 139, is to make the PPTP/WINS
server multi-homed...using the inside address in this case causes the traffic
to flow through the tunnel.
Long and short of it, it's a routing decision and whether traffic to the PPTP
server itself gets tunneled depends on how that traffic is addressed.
Randy Day-
> After some experimenting, I've figured out exactly what's going on.
> When a PPTP connection is established, any traffic destined for the
> PPTP server itself will **NOT** go through the VPN -- it will be routed
> through the ISP.
>
> While I'm positive my ISP doesn't filter NetBIOS traffic, come to think
> of it, it might be that the Linux IP masquerade firewall the client
> machines route through is somehow 'filtering' port 139 traffic. The
> explains why WINS didn't work until I moved the WINS server to a
> different machine. And this also explains why I'm unable to access
> resources on the PPTP server machine over a PPTP connection.
>
> I think it's very important to know that for security reasons. Even if
> you configure your server to only allow 128-bit encrypted connections,
> NO encryption will be used when the client accesses resources on the
> PPTP server.
>
> I take it the reason why traffic to the PPTP server can't be tunneled
> is simple: you can't tunnel a tunnel.
>
> I'm going to try adding a second IP address to the PPTP server machine
> (as described in the aforementioned KB article), which will solely be
> used for PPTP connections. That sounds like the perfect workaround.
>
> Jordan Russell
>
> In article <GWVL3.2839$T77.150367@news.uswest.net>,
> "Randy Day" <randyday@iname.com>
wrote:
> > Which makes me wonder why filtering of port 139 by the ISP has any
> > effect....
> >
> > Randy Day-
> >
> > <jordanr@my-deja.com>
wrote in message news:7toq20
> $7gd$1@nnrp1.deja.com...
> > > Yes ! I now have a 100% functional VPN. Name resolution has
started
> to
> > > work on NT too (not quite sure what changed, if anything).
> > >
> > > One note: Whenever I do 'ping' on a computer name in the network,
> the
> > > indicator lights on the VPN tray icon light up for a few seconds
> while
> > > it's searching for the name (and of course once the pinging
> starts). So
> > > I think that's good evidence that WINS queries *do* go through
the
> VPN.
> > >
> > > Jordan Russell
> > >
> > > In article <7toliq$4hr$1@nnrp1.deja.com>,
> > > jordanr@my-deja.com
wrote:
> > > > Hmm... I'm pretty sure that WINS traffic does go through the
> tunnel,
> > > > because I believe I read several newsgroup posts where
people
> > > > successfully used PPTP and a WINS server with a non-routable
IP
> > > > address. This wouldn't be possible if WINS traffic wasn't
> tunneled.
> > > And
> > > > I sure *hope* that's possible, because I plan to give a WINS
> server a
> > > > non-routable IP in the future.
> > > >
> > > > But, the good news is, my problem appears to be nearly
solved
> after
> > > > implementing this suggestion from the KB article:
> > > >
> > > > "Method 3
> > > > If the WINS server is on the same computer as the PPTP
server,
> move
> > > the
> > > > WINS server to a different computer."
> > > >
> > > > Windows 98 can now see computer names over PPTP. NT still
isn't;
> I'm
> > > > still looking into that...
> > > >
> > > > Jordan Russell
> > > >
> > > > In article <lcNL3.2166$T77.109168@news.uswest.net>,
> > > > "Randy Day" <randyday@iname.com>
wrote:
> > > > > Interesting KB article. It raises some questions
on my
> part....I
> > > had
> > > > > assumed that WINS name resolution traffic went through
the PPTP
> > > > tunnel. In
> > > > > other words, it went as GRE-encapsulated traffic, and
therefore
> the
> > > > > filtering of ports UDP ports 137, 138 or TCP port 139
would not
> > > > matter.
> > > > > However this article implies otherwise. If
I get time, I may
> have
> > > > to study
> > > > > a sniffer output and see what's really going on.
> > > > >
> > > > > Randy Day-
> > > > >
> > > > > <jordanr@my-deja.com>
wrote in message news:7tmbm6$l10
> > > > $1@nnrp1.deja.com...
> > > > > > Just stumbled across this KB article:
> > > > > >
> > > > > > http://support.microsoft.com/support/kb/articles/Q176/3/21.ASP
> > > > > > "Unable to Resolve NetBIOS Names Through PPTP
Connection"
> > > > > >
> > > > > > Looks promising... In my config, the Server is
indeed both the
> > > WINS
> > > > and
> > > > > > the PPTP server.
> > > > > >
> > > > > > In article <7tlrdr$aak$1@nnrp1.deja.com>,
> > > > > > jordanr@my-deja.com
wrote:
> > > > > > > Thanks for the response.
> > > > > > >
> > > > > > > Adding the WINS server to the NIC's WINS
config is not a
> viable
> > > > > > > solution for two reasons:
> > > > > > >
> > > > > > > 1) Not everybody connecting to the VPN has a
NIC. Some may
> use
> > > AOL
> > > > > > > connections, regular ISP connections, etc.
> > > > > > >
> > > > > > > 2) When you're not even connected to the VPN,
it'll be
> trying to
> > > > query
> > > > > > > that WINS server for machine names. The WINS
server itself
> has a
> > > > > > > routable IP address, so this would create
unnecessary
> traffic.
> > > > > > >
> > > > > > > Jordan Russell
> > > > > > >
> > > > > > > In article <JLsL3.729$T77.26082@news.uswest.net>,
> > > > > > > "Randy Day" <randyday@iname.com>
wrote:
> > > > > > > > Good problem description. See
below.
> > > > > > > >
> > > > > > > > <jordanr@my-deja.com>
wrote in message
> > > > > > > news:7tk53m$2hc$1@nnrp1.deja.com...
> > > > > > > > > I set up PPTP & RAS on a
Windows NT 4.0 SP5 Server and
> > > > Workstation
> > > > > > > > > (each on separate subnets), and it
is completely
> functional
> > > > except
> > > > > > > for
> > > > > > > > > one thing: WINS name resolution
won't work.
> > > > > > > > >
> > > > > > > > > On the Workstation computer, I dial
into the Server with
> > > Dial-
> > > > up
> > > > > > > > > Networking. The connection is
successful. I am able
> > > to 'ping'
> > > > > > > machines
> > > > > > > > > inside the remote LAN by IP
address. However I am not
> able
> > > > > > to 'ping'
> > > > > > > > > machines in the remote LAN by their
NetBIOS names, nor
> am I
> > > > able
> > > > > > to
> > > > > > > > > connect to the machines' shares
because it can't find
> them
> > > by
> > > > > > name.
> > > > > > > > > This is apparently because the WINS
name resolution
> isn't
> > > > working.
> > > > > > > > > Creating an LMHOSTS file on the
client computer with the
> > > > machine
> > > > > > > name
> > > > > > > > > to IP address mappings *does* work,
but maintaining an
> > > LMHOSTS
> > > > > > file
> > > > > > > on
> > > > > > > > > each computer is *not* feasible.
> > > > > > > > >
> > > > > > > > > Now for the strange thing. I *can*
get the client
> computer
> > > to
> > > > use
> > > > > > > the
> > > > > > > > > WINS server if I add the WINS
server to my NIC's TCP/IP
> > > > properties
> > > > > > > in
> > > > > > > > > Control Panel -> Network.
However, if I don't do this
> (and I
> > > > don't
> > > > > > > > > *want* to), and have it rely on the
WINS server being
> bound
> > > > to the
> > > > > > > VPN
> > > > > > > > > interface, the WINS server doesn't
seem to be used.
> > > > > > > >
> > > > > > > > Why don't you want to add the WINS
server to the NIC used
> by
> > > > the VPN
> > > > > > > > connection? That may be the only way to
get WINS
> functioning
> > > > over
> > > > > > the
> > > > > > > VPN
> > > > > > > > (I'm not sure, haven't investigated
this.)
> > > > > > > >
> > > > > > > > > And yes, I am sure
> > > > > > > > > that the VPN interface is set to
use the WINS server,
> > > because
> > > > I
> > > > > > > checked
> > > > > > > > > with "ipconfig /all". I
even tried manually defining the
> > > WINS
> > > > > > > server in
> > > > > > > > > the properties for the Dial-Up
Networking connection. It
> > > just
> > > > > > simply
> > > > > > > > > seems to be ignoring the WINS
server setting.
> > > > > > > > >
> > > > > > > > > Another know of way around this
problem (get WINS to be
> used
> > > > on a
> > > > > > > DUN
> > > > > > > > > PPTP connection)? I searched for
hours through probably
> 100+
> > > > PPTP-
> > > > > > > > > related posts on Dejanews, and
found no good solutions.
> > > > > > > > >
> > > > > > > > > Thanks in advance...
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Jordan Russell
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Sent via Deja.com http://www.deja.com/
> > > > > > > > > Before you buy.
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > Sent via Deja.com http://www.deja.com/
> > > > > > > Before you buy.
> > > > > > >
> > > > > >
> > > > > >
> > > > > > Sent via Deja.com http://www.deja.com/
> > > > > > Before you buy.
> > > > >
> > > > >
> > > >
> > > > Sent via Deja.com http://www.deja.com/
> > > > Before you buy.
> > > >
> > >
> > >
> > > Sent via Deja.com http://www.deja.com/
> > > Before you buy.
> >
> >
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
Copyright © 1999 Randy Day
Last modified: September 14, 2001