Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[jclarkw]

My paranoia and ignorance are showing again:  Does this router automatically drop all external communications to ports 137, 138, 139, and 445?  (I see an unchecked box for "NetBIOS announcement" under Setup/Network Settings/DHCP Server Settings, but I'm not sure what it means.  Might I have to check it and set some other things to enable File and Printer Sharing over TCP/IP? -- see below.)

Alternatively, do I have to explicitly set rules on the router to drop all external transmissions to these ports?  If so, I don't immediately see how.  Perhaps under Advanced/Access Controls?

Background:  I'm using a DIR-645 A1 NA version with FW 1.04B11.  On the Advanced/Firewall Settings page I have SPI enabled with UDP and TCP filtering both set to "Port and Address Restricted" and "Anti-Spoof Checking" also enabled, whatever that is.  Right now I have only XP Pro machines on which File and Printer Sharing has been unbound from TCP/IP and bound to NetBEUI instead, so I feel fairly safe; but that's about to change (see below).  Port scanning by ShieldsUp currently doesn't see any ports through the router, open or closed -- in other words, it appears to be "stealthed," for what that's worth.  With NetBIOS disabled on all computers inside the LAN, however, can I perform a valid test of what will happen when File and Printer Sharing is re-bound to TCP/IP?

Straying off topic:  My new problem is that I'm planning to add Window 7 Pro machines, for which NetBEUI isn't an option, and then transition entirely to Win7 before XP goes off extended support in April.  It appears that I can still get rid of NetBIOS in favor of "Direct hosting of SMB over TCP/IP."  Apparently then only port 445 will be vulnerable.  Does anybody here know about this?  In any case I want to make sure that the router is fully protecting my file-sharing ports from the WAN and that the individual computers are also "hardened" as far as possible.  Any suggestions would be appreciated!

Since I have developed considerable faith in you guys and am finding little help elsewhere, I ask also for any guidance you might have on the off-topic aspect of this post. Thanks in advance! -- jclarkw

[jclarkw]

Please Help:  This **might** be a router issue (see system details above).

I'm trying to switch File and Printer Sharing over from NetBEUI to TCP/IP (with NetBIOS disabled under WINS according to http://support.microsoft.com/kb/204279/en-us) on my two Windows XP machines in preparation for new Windows 7 machines coming on line.  Now I can't see any of my network shares on either machine from the other, although both machines can access the Internet through the router just fine and the shares and permissions still seem valid.  Here's what I did, for what it's worth:

On both of the Windows XP machines that are currently on my LAN, I (1) disabled NetBEUI for all network connections where it was installed (LAN, Bluetooth, and Wireless), (2) changed over from NetBEUI to TCP/IP as the binding for both "Client for Microsoft Networks" and "File and Printer Sharing" on the LAN and wireless connections, and (3) disabled NetBIOS over TCP/IP under WINS (where it wasn't already so) per instructions at http://support.microsoft.com/kb/204279/en-us.

I've never shared files through any router over TCP/IP before.  Are there settings on the router that would likely have to be changed to switch from NetBEUI to TCP/IP file sharing, or where else could I have gone wrong?

Do I need to start a new thread for this? -- jclarkw

[FurryNutz]

All shared network folders and printers I've ever used with any D-Link router is mostly controlled by Windows alone. Even with out a router, you can still share folders and files and connect between PCs and devices if you set up static IPs on the devices.

Only thing you need to make sure of so that you see the shared devices in Windows Networking, is to make sure the work group name is the same on all PCs.

I've always shared between XP and 7 PCs with out issues.

I have never used NetBEUI.

Windows Sharing is safe and secure even with out a router.

[jclarkw]

>>Only thing you need to make sure of so that you see the shared devices in Windows Networking, is to make sure the work group name is the same on all PCs.
I've always shared between XP and 7 PCs with out issues.<<


Hi, Furry -- Maybe you're onto it.  A while back you persuaded me to set up the DIR-645 to assign a fixed IP address to each MAC address in my MAC filter list, and that's been working fine.  But never having used it, I don't know if that implies settings needed in Microsoft Networking over TCP/IP.  Do you set up fixed IP addresses (or MAC addresses) there too?

And there are settings in the D-Link FW for "NetBIOS announcement" under Setup/Network Settings/DHCP Server Settings.  I don't know what they do or if they are needed for this.  With NetBEUI as the transport, I was bypassing a lot of stuff... -- jclarkw

[FurryNutz]

>>Hi, Furry -- Maybe you're onto it.  A while back you persuaded me to set up the DIR-645 to assign a fixed IP address to each MAC address in my MAC filter list, and that's been working fine.  But never having used it, I don't know if that implies settings needed in Microsoft Networking over TCP/IP.  Do you set up fixed IP addresses (or MAC addresses) there too?<<

You haven't reserved IP addresses for all of your devices yet? 

[jclarkw]

>>You haven't reserved IP addresses for all of your devices yet?<<


On the router, yes.  On the Setup/Network Settings page I enabled a DHCP reservation for each of my devices by MAC address, so I guess that means DHCP is still assigning addresses to devices when they connect, but the addresses are always the same.  (On the Advanced/Network Filter page I am also allowing only the same list of MAC addresses to connect, but I doubt that's relevant.)

What I was trying to say is that, since I've never used TCP/IP for MS File and Printer Sharing before, I don't know if any particular router settings are required to make that work, especially with NetBIOS disabled on the computers.  I've chosen to disable NetBIOS for "Direct Hosting of SMB over TCP/IP" -- see explanation below.  Perhaps the router simply won't allow this setup and demands that NetBIOS over TCP/IP be enabled?

Microsoft has KB articles on "Direct Hosting of SMB over TCP/IP" (which they say is preferred) and on "How to disable NetBIOS over TCP/IP by using DHCP server options."  In XP on the NetWork Connections/LAN Properties/TCP-IP Properties/Advanced/WINS tab there are three options for NetBIOS settings.  The former KB (204279) says to select "Disable NetBIOS over TCP/IP," which is what I've done on both computers.  The latter KB (313314) says to select "Default: Use NetBIOS setting from the DHCP server," but it also presumes that I have control over the DHCP server setup, which in my case is in the router hence not under my control.  In either case the objective is the disable NetBIOS as an added level of security.

If there aren't any relevant router settings, then I must have messed up my settings in Microsoft Networking... -- jclarkw

[FurryNutz]

Ya, routers I don't believe care if NetBIOS is enabled or disabled on the network.

Just enabling a HOST NAME on the PCs and setting the work group name to be the same on all Windows PCs and the LAN HOST name on the router under Setup/Networking as the same should be all you need. Then once this is done, you should be able to see all the connected PCs on the same work group in Network Places in Windows. If you have shared out folders on each PC, then my selecting the PC icon in Network Places should display the available shared folder. Access will depend if you gave EVERYONE or a specific User access.

[jclarkw]

>>Just enabling a HOST NAME on the PCs and setting the work group name to be the same on all Windows PCs and the LAN HOST name on the router under Setup/Networking as the same should be all you need.<<


Furry -- Not sure I follow you about "... and the LAN HOST name on the router under Setup/Networking as **the same**" (emphasis mine).  Under Setup/Network Settings/Router Settings, "Host Name" is set to "dlinkrouter" (the default), and "Local Domain Name (optional)" is blank (also the default).  I don't know where I would enter "dlinkrouter" in Windows Networking on the computers, if that's what you mean.

Or do you mean that "Host Name" (or perhaps the "Local Domain Name") on the router should be set the same as "Workgroup" on the computers?.

(The computers do each have unique "Full computer names" and the same "Workgroup" name.  They have shares enabled with permissions set to the same account name and password.  Both computers have an account with these credentials.  All of this worked fine under NetBEUI when I was logged onto both machines with this specific account.) -- jclarkw

[FurryNutz]

>>Just enabling a HOST NAME on the PCs and setting the work group name to be the same on all Windows PCs and the LAN HOST name on the router under Setup/Networking as the same should be all you need.<<


Furry -- Not sure I follow you about "... and the LAN HOST name on the router under Setup/Networking as **the same**" (emphasis mine).  Under Setup/Network Settings/Router Settings, "Host Name" is set to "dlinkrouter" (the default), and "Local Domain Name (optional)" is blank (also the default).  I don't know where I would enter "dlinkrouter" in Windows Networking on the computers, if that's what you mean. I use the following string for the Routers Host Name; DIR645A1V104B11. Makes it easy to see Rev and FW version info.

Or do you mean that "Host Name" (or perhaps the "Local Domain Name") on the router should be set the same as "Workgroup" on the computers?. Yes, LDN should be the same same has he HOST NAME for the Work Group name in Windows.

(The computers do each have unique "Full computer names" and the same "Workgroup" name.  They have shares enabled with permissions set to the same account name and password.  Both computers have an account with these credentials.  All of this worked fine under NetBEUI when I was logged onto both machines with this specific account.) -- jclarkw

[jclarkw]

>>Yes, LDN should be the same same has he HOST NAME for the Work Group name in Windows.<<



Didn't help.  I set the LDN equal to the Workgroup name assigned to both computers.  I'm still getting an error message, :"[Workgroup name or specific share] is not accessible.  You might not have permission to use this network resource..."  This even after re-booting both computers.

If that's the only requirement on the D-Link side, I must have problems with either the firewalls on the computers themselves (Windows firewall overlaid by W7FC) or my Windows Networking settings.  I'll try the firewalls first and report if I figure it out... -- jclarkw

[jclarkw]

>> I'll try the firewalls first and report if I figure it out...<<


Well, it's not the firewalls.  I unplugged the WAN connection from the router (for safety), turned off both firewalls completely, and tried again.  Still same error messages...

(Meanwhile I re-adjusted the firewalls to allow exceptions for File and Printer Sharing.  Blocking this was not a problem with the NetBEUI transport, which seemed to pass right through any TCP/IP restrictions, but that shouldn't work for me anymore...) -- jclarkw

[FurryNutz]

Can you do a map drive and input the IP address of the remote PC with the file share and access the folder that way?

\\192.168.0.###\sharefoldername

After you input that, you may need to log in as the remote PCs user name and pw or if you shared out the folder to everyone, it should display the contents.

I presume this is a Windows configuration issue here...

[jclarkw]

>>I presume this is a Windows configuration issue here...<<


Yes, I think it's not really your problem; but I will try the drive map (once I figure out how) and report back.  Thanks! -- jclarkw

[jclarkw]

Can you do a map drive and input the IP address of the remote PC with the file share and access the folder that way?
\\192.168.0.###\sharefoldername

Yes that works!  In fact, just typing \\192.168.0.### into the Windows Explorer address bar brings up **all** the shared directories on the specified computer!!  This is very cool!!!

Would you please check me on the following conclusions:

1) I guess that means it's only Windows's computer-name resolution that's not working on the LAN.

2) Since name resolution would, I presume, normally be provided by NetBIOS, I would need to use NetBIOS over TCP/IP if and only if I want File and Printer Sharing to work normally.

3) You have given me a work-around that does not require NetBIOS as long as I know the IP addresses of all computers on the LAN (which I do through DHCP reservations, thanks to your earlier advice!).  Thus, no need for NetBIOS over TCP/IP at all!

4) Perhaps this is actually what the previously quoted KB, "Direct Hosting of SMB over TCP/IP," was trying to tell me.  In that case, I'm probably using only port 445 for file sharing instead of the old ports 137-139.  (I don't need to know how to apply this trick to printer sharing, since I'm not doing that right now...)

[jclarkw]

I presume this is a Windows configuration issue here...

Please also let me take you back to the original topic of this thread for a second:  I'm reading through the DIR-645 firmware Web page again, and I'm still not clear on what traffic is being blocked automatically vs. manually.  I can tell from GRC's ShieldsUp probes that all "service ports" are "stealthed" to **inbound** traffic, but...

1) what about **outbound** traffic?  Specifically, are File and Printer Sharing (ports 137-139 and 445) requests **outbound** from LAN computers blocked from entering the WAN?  What about other ports?  (Obviously outgoing HTTP requests on port 80, SMTP traffic on port [unkown] POP3 requests on port(s) [unkown], and probably others must be allowed...)

2) How is this controlled?  Automatically?  Or can I specify such detailed directional port blocking somehow?

Best Regards -- jclarkw