FW: UDP Broadcast across router

[Ryan Hoegg]

Alexander,
I'm quite surprised that it does.  I have not tried it across a MASQUERADE rule, as I
do not have an NT domain to test it on at present.  However; since as far as I know -j
MASQUERADE is just a special case of SNAT, it should behave the same when it comes to
NetBIOS traffic.

Your reply prompted me to do some more research on the subject.  So, here is
Microsoft's official word on the subject, in which they describe situations in which
NAT may not handle certain types of NetBIOS traffic.:

http://support.microsoft.com/support/kb/articles/q172/2/27.asp

To summarize for those of you without web browsers, NetBIOS sends replies to the Owner
IP field in the NetBIOS header of certain NetBIOS Name Management and Datagram packets
instead of the source IP in the IP header.  These packets are used for, among other
things, locating a logon server and sending a logon request.

Has anyone had experience with this either working or not working?  I personally have
witnessed the exact behavior mentioned in the MS Knowledgebase article above using NT
4.0 workstations with an NT4.0 server, all running SP5.  In addition, I have had it
independently reported to me that neither netfilter nor Windows 2000 Advanced Server
RRAS translates this traffic correctly in the same situation and with Windows 2000
workstations.

Alexander Demenshin wrote:

> > WINS name resolution work fine.  The reason domain logons (and therefore any
> > activity requiring user-level authentication) do not work is that the IP address
> > of the client machine is embedded in the NETLOGON packet.
>
>   Hmm... Then why it work across simple masquerading? :)
>
> /Al

Ryan Hoegg, MCSE, MCP+I
Sr. Systems Engineer
ISIS Networks
rhoegg@isisnetworks.net