Thank you for the quick reply Bill. The issue of using hostnames across the tunnel is secondary to the speed issue but appreciated nonetheless. When our performance issues have been sorted out, I'll be sure to look at implementing WINS to make it easier on the "monkeys". :-)

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105

----- Original Message -----
From: "mtnbkr" <waa-***@revpol.com>
Cc: ***@lists.m0n0.ch
Sent: Wednesday, July 23, 2008 9:20:57 AM GMT -06:00 US/Canada Central
Subject: Re: [m0n0wall] SMB over IPSEC...

- gpg control packet
Tim Nelson wrote:
| Hello fellow monowallers... I know the issue of SMB/Samba/Netbios over IPSEC
has come up many times. However, the issue always seems to be related to the
fact that broadcasts are not being passed over the IPSEC tunnel. I'm currently
trying to use Samba over IPSEC(one site has monowall 1.3b11 and the other has
pfSense 1.2-RELEASE) but instead of relying on broadcasting and using 'Network
Neighborhood' to find the Samba boxes, we're accessing them directly via IP
address by entering "\\192.168.1.100" in the address bar of the clients which
are primarily WinXP machines. They are able to find the server and access it's
shares but opening a file... even small ones like 20k... takes FOREVER. I'm
wondering if there isn't a different issue such as fragmentation happening.
Both sides of the tunnel have completely open "Allow any to any from any"
rules so firewalling should not be the issue. Has anyone seen this type of
behavior before? I can make my logs available but after looking through them,
I'm not seeing anything of consequence. All help is welcome and appreciated.
Thank you!

Hi Tim,

I can't comment on the speed issues you refer to, but if you give your windows
machines the address(es) of your WINS server(s) in the m0n0wall DHCP setup
page, then they will be able to "browse" the "network neighborhood" and access
machines by name instead of only IP - even across subnets.

--
Bill Arlofski
Reverse Polarity, LLC
http://www.revpol.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall-***@lists.m0n0.ch
For additional commands, e-mail: m0n0wall-***@lists.m0n0.ch

Did you adjust the MTU for a particular interface on the firewall or on the clients directly? Or, is it possible to change the MTU of the IPSEC tunnel itself?

I'm seeing some improved performance by enabling "Clear DF bit instead of dropping" on the pfsense side as well as "Allow IPsec fragmented packets" on the monowall side. It appears that fragmentation/MTU is the likely culprit...

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105

----- Original Message -----
From: "Mark Rinaudo" <***@preferreddatasolutions.com>
To: ***@lists.m0n0.ch
Sent: Wednesday, July 23, 2008 9:45:45 AM GMT -06:00 US/Canada Central
Subject: Re: [m0n0wall] SMB over IPSEC...

Tim,

I had a similar issue a couple of years ago with an ipsec tunnel between my
m0n0wall and a netgear router. The tunnel would come and I could browse a
windows 2003 server's folders but dealing at the file level was slow and
writing files was impossible. Finally tracked it down to the MTU size of
packets being sent from the windows machines. Try adjusting the MTU size of
your packets and see if that helps.

Mark
Preferred Data Solutions
318-550-3381

----- Original Message -----
From: "Tim Nelson" <***@rockbochs.com>
To: <***@lists.m0n0.ch>
Sent: Wednesday, July 23, 2008 9:07 AM
Subject: [m0n0wall] SMB over IPSEC...


Hello fellow monowallers... I know the issue of SMB/Samba/Netbios over IPSEC
has come up many times. However, the issue always seems to be related to the
fact that broadcasts are not being passed over the IPSEC tunnel. I'm
currently trying to use Samba over IPSEC(one site has monowall 1.3b11 and
the other has pfSense 1.2-RELEASE) but instead of relying on broadcasting
and using 'Network Neighborhood' to find the Samba boxes, we're accessing
them directly via IP address by entering "\\192.168.1.100" in the address
bar of the clients which are primarily WinXP machines. They are able to find
the server and access it's shares but opening a file... even small ones like
20k... takes FOREVER. I'm wondering if there isn't a different issue such as
fragmentation happening. Both sides of the tunnel have completely open
"Allow any to any from any" rules so firewalling should not be the issue.
Has anyone seen this type of behavior before? I can make my logs available
but after looking through them, I'm not seeing anything of consequence. All
help is welcome and appreciated. Thank you!

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall-***@lists.m0n0.ch
For additional commands, e-mail: m0n0wall-***@lists.m0n0.ch



---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall-***@lists.m0n0.ch
For additional commands, e-mail: m0n0wall-***@lists.m0n0.ch

Seriously, sniff that link. The latency is killing you are SMB has way
too much crosstalk. And yes, the MTU thing can help, but the crosstalk
will still kill you.

Lee

It's all about latency, bandwidth is largely irrelevant as long as you
have broadband on both ends. 100ms is high.

Try dropping MTU on client and server machines and see what happens.
That might improve things, but you will never see good SMB performance
at 100 ms latency. At least what I would consider good, which would be
near LAN performance.

-Chris