Solved

Block out my home LAN from Office Network Neighborhood

Posted on 2001-09-04
13
230 Views
Last Modified: 2010-04-12
I have a cable connection at home with a VPN setup through my router to access office files. I use the office WINS on my home LAN so I can access my office machines through my Network Neighborhood. Only my home "work" machine (Win2k) logs into the office NT4 domain. All other machines log into the home NT4 domain.  I can access both my home domain and office domain shares from my home "work" machine with this setup and it works great.

My problem is that my home domain appears in the office Network Neighborhood and any shares that are unprotected are accessible from anyone at the office. I can set up the home shares to protect curious or troublesome office workers but I would rather find a means to block it from apearing in the first place. Is there a port I can block on my home router to keep my home domain from appearing over the VPN connection?

0
Comment
Question by:gmichels
  • 7
  • 5
13 Comments
 
LVL 3

Author Comment

by:gmichels
ID: 6454542
I suspect that the problem is that WINS is propogating the information and I am out of luck...unless there is a means to "tune up" WINS to not show this information.



0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6456086
AFAIK there is no central solution to block browsing just in one direction.
You need to make changes on each machine of your home network: either simply make the share invisible by adding "$" to each share name, or stop broadcasting (must be done in the registry).
0
 
LVL 3

Author Comment

by:gmichels
ID: 6457043
Well, I don't want to make the shares invisible at home, though, so renaming with the "$" is out (I have two not-so-computer-savvy kids).  What will stopping the broadcast do? The computer is still listed with WINS, isn't it?

I am working with a couple MIS friends on this as well. If we come up with a viable working solution, I'll post it here.

0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6473862
You're right - this is an easy one.

Block UDP port 137 and 138 (netbios NS & DGRAM) inbound to your home network.  If you want to stop everyone at the office from accessing you netbios stuff no matter what, also block inbound TCP port 139.

-Jon

0
 
LVL 3

Author Comment

by:gmichels
ID: 6474538
I tried that. I blocked the ports mentioned and although it kept office users frrom my home network, I could no longer reach the office from home. I might as well not be using the office WINS service. I need to still be able to see and get to my office machine via NN from home via the VPN connection. I just want to prevent office users from reaching my boxes at home. Obviously, as more home users use their VPN from home and have home domains, we're going to have a corporate problem on our hands.

I'll diddle with those ports both inbound and outbound through my home router to see if I can get a setting to work.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6474785
If it made your office connections stop working, then it is likely that you implemented the filters in *both* direction, instead of only inbound, as I suggested.

Or maybe WINS is even more brain-dead that I thought.  Quite possible, considering who wrote the code.

-Jon

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 3

Author Comment

by:gmichels
ID: 6474813
Nope, I implemented them one way only (inbound).

I'll play with the settings both inbound and outbound on those 3 ports, see if I can get anything to work. I was hoping to find someone who might already do something like this.


 
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6474903
Try only 137
0
 
LVL 3

Author Comment

by:gmichels
ID: 6475117
Okay...did some fiddlin'. I think I got it for those of you who will need this in the future. I was using Timbuktu Pro to access my home machines. I love remote access!

I have tried blocking just incoming UDP137. No good. No access from home
I just tried blocking only incoming UDP138. No good. same thing.
I then blocked only incoming TCP139 and so far, that appears to be working. I can access machines from home but the office can't access my home machines. The home domain still appears in the NN listing but it's inaccessible. I don't know if I can remove that or not. That would be ideal but WINS is rather limited.  :-P



0
 
LVL 16

Accepted Solution

by:
The--Captain earned 50 total points
ID: 6476104
Indeed - as I mentioned, port 139 cuts off all access (OK, well really, it cuts off the data transfer portion of netbios).  I thought you were looking for a solution that would make your home machines not visible?

In any case, I'm glad you are happy with blocking port 139 - I just thought that you already had the functionality that blocking port 139 provides, and were looking for an even more elegant solution.

-Jon

0
 
LVL 3

Author Comment

by:gmichels
ID: 6476233
All I had done was block out all three UDP137 & 138 and TCP 139 on incoming. I hadn't tried them individually or in combinations yet. I knew those ports were for NetBIOS but didn't know and still don't know really what EACH port does. You helped me to get where I can at least block out some of it while maintaining the functionality I want. I didn't even have that yet. Thanks.

I am STILL looking for a means to block my home domain from even appearing in the office NN while still being able to access from home. I suspect this is related to WINS and won't be doable btu I'd love for that theory to be proven wrong. *L*

I'll leave this open for a couple more days just in case you or I or anyone else has an idea or solution. Come Friday, I'll award the points
0
 
LVL 3

Author Comment

by:gmichels
ID: 6483703
Thanks!

UDP 137 and 138...
Can you tell me what data the individual ports transfer?
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6483933
Port 137 is netbios-ns (the 'ns' I believe stands for 'name service' or something like that - 137 (udp) is used to figure out which netbios host has which IP, I believe.  138 (udp) is netbios-dgram, which is less familiar to me.  I always thought it might be part of wins or have some other low-level informational use, but I'm not sure (tcpdump would probably tell me).  139 (tcp) is used for the actual transfer of data [i.e. files, directory listings, etc]).

Does that answer your question?  I wasn't exactly sure what you were asking.

-Jon

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now