# Samba behind a NAT, how to get it to work?

## Lemma

Hi.

At work (Uppsala University, sweden) we have a windows-based network and using a simple gateway (in my room using NAT and DHCP) I can't see or connect to the other computers/printers we have (using SAMBA). Connected directly, it's working perfectly but not behind the gateway, so the big Q is - what to change to make it work...

/Lemma

----------

## BonezTheGoon

It sounds to me, from the little bit of information you have volunteered, that you likely have a small DSL/Cable Router handling your NAT.  You might need to open some ports to allow the communication to pass.  To test this theory you can try placing your Linux machine (temporarily) in your DMZ (Demilitarized Zone) if your router supports this, which effectively unblocks everything but still uses NAT.  If you can try it this way, and you get good results then I would suggest you look into which specific ports need to be open, then pull your machine back out of the DMZ and only allow traffic on the needed ports (instead of all of them like in the DMZ.)

Hope that helps, by the way if you do not use a router please give us more details so we can answer your question better.

Regards,

BonezTheGoon

----------

## Lemma

You are right, the gateway is (right now) a simple thing from 3com. I intend to set up an old p@166 w 32MB RAM later, if I can get this to work. I can open a "virtual DMZ computer" using the IP-number my laptop has, and to the best of my knollage that should do what you asked me to do - use NAT but let everything else through; the problem is that it does not seem to make any difference  :Sad: . Is there any special commands I should enable/disable in the smb.config-file perhaps?

----------

## BonezTheGoon

Well it sounds like somehow your 3Com unit is not passing netbios stuff, which honestly I don't know much about.  Even in the DMZ it is not working you say, so I really haven't much more to suggest.  I guess you could try and find out what ports netbios uses (hopefully they are static so you can do this, if they are dynamic you are fairly hosed) and then map those ports directly to your internal ip same ports.  This solution would only work for one machine on your internal LAN if it were to work at all though.  However in theory this shouldn't work IF your DMZ did actually allow all traffic on all ports.  I assume you can actually map directly to any machine you want still by using it's IP, it is just network browsing that is not working--right?  If your school has DNS setup properly you might be fairly happy simply resolving the IP of the machine you want to connect to and then go strait to it.  Although as I mention it I realize now that the only way that netbios will work for network browsing is if you have a master browser on your segment of the network, which will mean one of YOUR machines on your LAN will need to act as a master browser.  If you have only Linux machines on your LAN you will need to allow Samba to participate in master browser elections, so that one of them can become the master browser on the segment.  Then you need to allow traffic to that master browser on the correct netbios ports so that it can synchronize with the other master browsers and eventually with the primary domain controller.  Using this method would allow all your machines on your LAN to browse the network, and you could still specifically map ports on your 3Com unit to go directly to your machine that is the master browser on your LAN.  Boy I hate NetBIOS and all this network browsing junk -- I just disable it at my house on both the linux and windows sides.  Icky!  Hope you get it figured out!  Although like I said, maybe browsing is a little too hopeful for this setting and instead you can accomplish what you need by mapping directly to the resource in question.

Regards,

BonezTheGoon

----------

## Lemma

 *Quote:*   

> If you have only Linux machines on your LAN you will need to allow Samba to participate in master browser elections, so that one of them can become the master browser on the segment. Then you need to allow traffic to that master browser on the correct netbios ports so that it can synchronize with the other master browsers and eventually with the primary domain controller. Using this method would allow all your machines on your LAN to browse the network, and you could still specifically map ports on your 3Com unit to go directly to your machine that is the master browser on your LAN

 

I'll try that. I will only have two machines on my local LAN and they will both be running linux so I guess I will have to get down and dirty learning samba well...

At least now I know it can be done  :Wink: 

/Thx, now I will RTFM over X-mas  :Wink: 

----------

## mrchuckles

Browser elections happen on a domain/workgroup basis, and have no relation to network segments.  Browsers only keep lists of the computers/shares available on the network for viewing through a Network Neighborhood type of program.  I believe your problem lies in resolving NetBIOS names to IP addresses.  NetBIOS uses broadcasts to resolve names, and therefore will not pass through a router (thus your DMZ problems).  To solve this problem, you need access to a WINS server, to resolve the NetBIOS names to IP addresses (since you can't broadcast for them). 

You may also need to open ports on your router to allow SMB traffic.  Do this carefully.  This Microsoft support article outlines which services use which TCP/UDP ports.   I would start by opening them all, then selectivly closing them while testing functionality to determine which ones you need open.  Try not allow the connections to originate from the outside LAN, since you don't want people trying to hack your own LAN through NetBIOS.

----------

## BonezTheGoon

mrchuckles you seem to be dead-on.  I hate NetBIOS and WINS (as I already stated) and do not have much interaction with them, however you are wrong about the segments.  As I mentioned in my post earlier if network browsing is not needed resolving machine names to IP's should be all that is needed.  See below for more information on the browsing service with relationship to network segments.

 *mrchuckles wrote:*   

> Browser elections happen on a domain/workgroup basis, and have no relation to network segments.

 

 *Microsoft Knowledge Base Article - 188001 wrote:*   

> MORE INFORMATION
> 
> The browser service maintains a list of the domain name or workgroup name the computer is in, and the protocol being used for each computer on the network segment being served by the computer running the browser service. On each network segment, a master browser is elected from the group of computers located on the segment that are running the browser service. 

 

Regards,

BonezTheGoon

----------

## keschrich

Maybe I'm way off, but if you have a network (the school network in this case), and another network (your local network behind the NAT), which are connected via the gateway, which I assume have two different subnets, wouldn't you need to set up some sort of VPN system?

----------

## mrchuckles

 *keschrich wrote:*   

> Maybe I'm way off, but if you have a network (the school network in this case), and another network (your local network behind the NAT), which are connected via the gateway, which I assume have two different subnets, wouldn't you need to set up some sort of VPN system?

 

It's not required for what he wants to do, particularly because the traffice between his network and the other network isn't going over the Internet.  The only thing needed to connect two networks on different subnets is a router or gateway.

----------

## daba5443

 *Quote:*   

> Maybe I'm way off, but if you have a network (the school network in this case), and another network (your local network behind the NAT), which are connected via the gateway, which I assume have two different subnets, wouldn't you need to set up some sort of VPN system?

 

The net that I sit on is Uppsala University's, and that is a B-net in the 130.238.*.* region, so in a way it will go over the internet as it is a part of it  :Wink: . Even so, I will not include VPN yet and maby not ever as it is complicated enough as it is right now and the need is not that great (as I see it). I will tough take it under consideration, later...

----------

## Lemma

BTW, Lemma and daba5443 is the same, daba5443 is an newer account that I created when I lost the password for Lemma (and later on found it again  :Wink: ). I normally use Lemma. Sorry for the confusion  :Wink: .

----------

## discostu

how do I configure LISa if I am on a large university network with a WINS server. SMB is working fine, but I would like to be able to browse with lan:// in konqueror.

Thanks.

----------

## xpunkrockryanx

to sort of elaborate on mrchuckles post... try to browse with samba by going to an ip address rather than a netbios name. if that works, we know that netbios name resolution is your problem. if not, you've still got routing issues of some type. if your network doesn't have a wins server, you might try setting up that old p166 with linux (gentoo of course  :Razz: ) and putting samba on that, and setting it up to function as a wins server for you. the external interface on the router would be on the same subnet as the other machines, and should thus receive browser election and netbios name broadcasts, which it could then put into its wins database. maybe somebody can correct me if i'm wrong here.

----------

