gmichels
asked on
Block out my home LAN from Office Network Neighborhood
I have a cable connection at home with a VPN setup through my router to access office files. I use the office WINS on my home LAN so I can access my office machines through my Network Neighborhood. Only my home "work" machine (Win2k) logs into the office NT4 domain. All other machines log into the home NT4 domain. I can access both my home domain and office domain shares from my home "work" machine with this setup and it works great.
My problem is that my home domain appears in the office Network Neighborhood and any shares that are unprotected are accessible from anyone at the office. I can set up the home shares to protect curious or troublesome office workers but I would rather find a means to block it from apearing in the first place. Is there a port I can block on my home router to keep my home domain from appearing over the VPN connection?
My problem is that my home domain appears in the office Network Neighborhood and any shares that are unprotected are accessible from anyone at the office. I can set up the home shares to protect curious or troublesome office workers but I would rather find a means to block it from apearing in the first place. Is there a port I can block on my home router to keep my home domain from appearing over the VPN connection?
AFAIK there is no central solution to block browsing just in one direction.
You need to make changes on each machine of your home network: either simply make the share invisible by adding "$" to each share name, or stop broadcasting (must be done in the registry).
You need to make changes on each machine of your home network: either simply make the share invisible by adding "$" to each share name, or stop broadcasting (must be done in the registry).
ASKER
Well, I don't want to make the shares invisible at home, though, so renaming with the "$" is out (I have two not-so-computer-savvy kids). What will stopping the broadcast do? The computer is still listed with WINS, isn't it?
I am working with a couple MIS friends on this as well. If we come up with a viable working solution, I'll post it here.
I am working with a couple MIS friends on this as well. If we come up with a viable working solution, I'll post it here.
You're right - this is an easy one.
Block UDP port 137 and 138 (netbios NS & DGRAM) inbound to your home network. If you want to stop everyone at the office from accessing you netbios stuff no matter what, also block inbound TCP port 139.
-Jon
Block UDP port 137 and 138 (netbios NS & DGRAM) inbound to your home network. If you want to stop everyone at the office from accessing you netbios stuff no matter what, also block inbound TCP port 139.
-Jon
ASKER
I tried that. I blocked the ports mentioned and although it kept office users frrom my home network, I could no longer reach the office from home. I might as well not be using the office WINS service. I need to still be able to see and get to my office machine via NN from home via the VPN connection. I just want to prevent office users from reaching my boxes at home. Obviously, as more home users use their VPN from home and have home domains, we're going to have a corporate problem on our hands.
I'll diddle with those ports both inbound and outbound through my home router to see if I can get a setting to work.
I'll diddle with those ports both inbound and outbound through my home router to see if I can get a setting to work.
If it made your office connections stop working, then it is likely that you implemented the filters in *both* direction, instead of only inbound, as I suggested.
Or maybe WINS is even more brain-dead that I thought. Quite possible, considering who wrote the code.
-Jon
Or maybe WINS is even more brain-dead that I thought. Quite possible, considering who wrote the code.
-Jon
ASKER
Nope, I implemented them one way only (inbound).
I'll play with the settings both inbound and outbound on those 3 ports, see if I can get anything to work. I was hoping to find someone who might already do something like this.
I'll play with the settings both inbound and outbound on those 3 ports, see if I can get anything to work. I was hoping to find someone who might already do something like this.
Try only 137
ASKER
Okay...did some fiddlin'. I think I got it for those of you who will need this in the future. I was using Timbuktu Pro to access my home machines. I love remote access!
I have tried blocking just incoming UDP137. No good. No access from home
I just tried blocking only incoming UDP138. No good. same thing.
I then blocked only incoming TCP139 and so far, that appears to be working. I can access machines from home but the office can't access my home machines. The home domain still appears in the NN listing but it's inaccessible. I don't know if I can remove that or not. That would be ideal but WINS is rather limited. :-P
I have tried blocking just incoming UDP137. No good. No access from home
I just tried blocking only incoming UDP138. No good. same thing.
I then blocked only incoming TCP139 and so far, that appears to be working. I can access machines from home but the office can't access my home machines. The home domain still appears in the NN listing but it's inaccessible. I don't know if I can remove that or not. That would be ideal but WINS is rather limited. :-P
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
All I had done was block out all three UDP137 & 138 and TCP 139 on incoming. I hadn't tried them individually or in combinations yet. I knew those ports were for NetBIOS but didn't know and still don't know really what EACH port does. You helped me to get where I can at least block out some of it while maintaining the functionality I want. I didn't even have that yet. Thanks.
I am STILL looking for a means to block my home domain from even appearing in the office NN while still being able to access from home. I suspect this is related to WINS and won't be doable btu I'd love for that theory to be proven wrong. *L*
I'll leave this open for a couple more days just in case you or I or anyone else has an idea or solution. Come Friday, I'll award the points
I am STILL looking for a means to block my home domain from even appearing in the office NN while still being able to access from home. I suspect this is related to WINS and won't be doable btu I'd love for that theory to be proven wrong. *L*
I'll leave this open for a couple more days just in case you or I or anyone else has an idea or solution. Come Friday, I'll award the points
ASKER
Thanks!
UDP 137 and 138...
Can you tell me what data the individual ports transfer?
UDP 137 and 138...
Can you tell me what data the individual ports transfer?
Port 137 is netbios-ns (the 'ns' I believe stands for 'name service' or something like that - 137 (udp) is used to figure out which netbios host has which IP, I believe. 138 (udp) is netbios-dgram, which is less familiar to me. I always thought it might be part of wins or have some other low-level informational use, but I'm not sure (tcpdump would probably tell me). 139 (tcp) is used for the actual transfer of data [i.e. files, directory listings, etc]).
Does that answer your question? I wasn't exactly sure what you were asking.
-Jon
Does that answer your question? I wasn't exactly sure what you were asking.
-Jon
ASKER