Faughnan Home | Contact Info | Site Contents | Search
Routing NetBIOS from a LAN with fixed firewall-concealed public IP addresses to a LAN with fixed private IP addresses using IP masquerading (Network Address Translation, NAT) and a public static router address.
Rev: 01 Nov 2004.
NetBIOS is enough to make admirers of Microsoft grimace. It is a twisted version of the Net, where DNS (Domain Name Server) becomes WINS and HOSTS becomes LMHOSTS. Long ago (1983) it was born as a network protocol for the very early IBM PC networks; then it required custom hardware. It mutated into LAN Manager (then OS/2 then Warp then nothing) and Windows for Workgroups NetBEUI. (see also: Microsoft's explanation of NetBIOS)
Finally the network layers were gutted, the naming services and application interfaces preserved, a terrible surgery performed, and 'NetBIOS over TCP/IP' was born. This is what many of us live with now.
It is not a pretty synthesis. DNS, WINS, HOSTS, LMHOSTS, PNC (primary network controller), domains, workgroups, TCP caching, Browse-Master, ports and routers, Win32 variations, and scopes all interact with one another. The usual symptom of a royal mess is that it's possible to access servers using UNC (enter \\name in the Run box for example), but impossible to browse a network using network neighborhood:
Unable to browse the network. The network is not accessible. For more information, look in the Help Index at the topic 'Network Troubleshooter'.
In the words of Eric Hall:
These systems [NT networking, Win9x] are just two members of a rather large family that also includes Microsoft Windows for Workgroups, Microsoft LAN Manager for OS/2, IBM LAN Server, Digital Equipment Corp.'s PathWorks for VMS, a variety of freeware ports of SAMBA, and LAN Manager for Unix (available from Hewlett-Packard Co., NCR Corp., The Santa Cruz Operation and others). Even Novell has an offering that enables NetWare servers to interact with these LAN Manager-based workgroup products.
The core technologies that tie together these systems are Server Message Blocks (SMBs) and NetBIOS-over-TCP/IP (NBT). The SMB protocols performing the file- and printer-sharing dirty work are invisible to end users, since the networking drivers handle the intersystem communications. However, NBT is visible to end users, mostly because it doesn't work well in non-local, non-broadcast environments.
I spent about 10 hours slogging away on a problem I had, and I reviewed about 60 documents from Microsoft, Deja.com (newsgroups) and a text. After figuring out what was wrong, I My Problem, below. However, I did dredge up a LOT of resouces that others may benefit from. In the interests of sharing, they are sorted in the Resources section.
After much struggle, the problem turns out to be reasonably straightforward. NetBIOS does not readily route, it's really a LAN only solution, preferably small LANs. (NT 5 is supposed to be gutting NetBIOS). Higher end routers can make NetBIOS behave, but the home router provided by my DSL vendor (Cisco 675) does not.
If you connect to the Internet with a bridged configuration (many cable modems, some DSL), so that all machines that are connected to the net are guaranteed to have public valid IP addresses (forget security issues here), then NetBIOS can work ok (assuming you take care of workgroup permissions and the like).
However, if you connect with a true routed configuration, as is common with newer DSL and cable modems, your router is often providing internal IP addresses to LAN workstations (typically via DHCP from the 10.0.0.x domain). These addresses are not valid outside of your LAN. The router itself has a valid public (WAN, Internet) external IP address, and (usually) 10.0.0.1 for an internal (LAN) address.
The router will take care of swapping out your LAN IP addresses and substituting its own IP address as your packets leave your LAN (it reverses the process for incoming packets). HOWEVER, Cisco's CBOS (low end) routers can't work this magic with NetBIOS packets! Surprisingly, this seems to mostly break LAN browsing. It's still possible to access servers using "universal names" (such as \\myserver). If you've setup your LMHOSTS file correctly with the IP address of your WINS server, applications like Outlook/Exchange can continue to work. (See The NetBIOS forwarder - Background for a full explanation).
Other than investing in a better router (see Network Address Translation and Cisco references) there is no ready solution to this problem. VPN solutions, such as SecureRemote, seem to require use of a public-space IP address for the client. Any Cisco router with a part number > = 1000 (plus the 80x's) runs IOS (not CBOS as in the Cisco 675) with some NetBIOS routing. Anything below doesn't. Cisco claims IOS route NetBIOS over TCP/IP ("datagram and name services only, session service support coming soon").
If you're very brave, check out The NetBIOS forwarder.
Netstat -a will list ports in use
In addition to these web resources, the Windows 95 CD-ROM contains a secret help file call "Win95rk.hlp". It's the Windows 95 Resource Toolkit. Hidden away are many descriptions of NetBIOS, and descriptions of little known network utilities installed with Win95. Search for NBTSTAT and then page around that area. Key references are bold, one is even bold and enlarged!
Q172227 - Network Address Translators (NATs) Can Block Netlogon Traffic (discusses use of NetBIOS datagrams, where IP translation would need to occur)
Browsing and Troubleshooting NetBIOS
|Cannot Log On to
Windows NT Domain with DNS Name Resolution Only
Steve Gibson on NetBIOS (short and clear)