Windows Share upstream of Router

[bluesky74656]

I was wondering if anyone could help me out with an interesting problem. I plugged a wireless router into a wired network so that I could connect to that network with my laptop. I can get to the internet just fine with this setup, but I can't access any shares on other computers upstream of the router. Anyone have any thoughts? The router is a Netgear WGR614.

Thanks.

 

[mikea]

I was wondering if anyone could help me out with an interesting problem. I plugged a wireless router into a wired network so that I could connect to that network with my laptop. I can get to the internet just fine with this setup, but I can't access any shares on other computers upstream of the router. Anyone have any thoughts? The router is a Netgear WGR614.

Thanks.

You'd have to open up the TCP port 445 to allow Windows SMB sharing over TCP/IP to the outside world. You don't want to do that unless you can limit it to the specific IP address of your other PC. You do not want to open up the UDP ports 132-135. That's where the bad stuff gets in.

http://www.petri.co.il/what's_port_445_in_w2k_xp_2003.htm

Do you have a second firewall between this one and the Internet? In that case you can just plug everything into the inside switch on this one.

 

[bluesky74656]

Yeah, there's a full network on the other side of this. All I'm doing is plugging a wireless router in where I would just plug a computer in, in order to connect wirelessly. I'm not at all worried about opening any ports, because I'm already inside a network.

I just put my computer in the DMZ, that should take care of any port problems, right?

Based on an article I can't find to quote for you, I think my problem lays in the fact that a router won't forward an ARP packet, so I can't resolve the name of any windows computer to connect to. I may be able to just put an entry in the ARP cache, but I can't get in to find the server's MAC address right now.

My other option would be to simply VPN through the router to a computer on the other side, and work from there.

Any other thoughts would be appreciated.

 

[TangoWhiskey]

I just put my computer in the DMZ, that should take care of any port problems, right?

Putting your computer in your router's DMZ makes it TOTALLY VISIBLE (NO PROTECTION) to computers out on the big bad internet. It does exactly the opposite of what you're thinking. Hosts in the DMZ can't see the internal network, the Internet can see hosts in the DMZ, and internal hosts can see those in the DMZ.

http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

Home router DMZs work a little different than a "true" DMZ:

Some home routers refer to a DMZ host. A home router DMZ host is a host on the internal network that has all ports exposed, except those ports forwarded otherwise.

This is not a true DMZ by definition since these pseudo DMZs provide no security between that host and the internal network. That is, the DMZ host is able to connect to hosts on the internal network, but hosts in a real DMZ are prevented from doing so by the firewall that sits between them.

Get it out of the DMZ now!

 

[bluesky74656]

No, no, no... you misunderstand. This router never sees the big bad internet. I'm in a dorm. All I've done is plug the uplink port of my router into the network jack that's in my room. The resnet itself goes through a router before it sees the big bad internet. So my computer, even in the DMZ, shouldn't be any more exposed than if I were to plug it straight into the wall jack. Right?

My problem is that even in the DMZ, the router is still filtering stuff.

 

[Steve]

I have upwards of 4 computers on the local net (when the girls are home). If they all don't set their individual third party firewalls to accept the specific local IP addresses and reset/renew the DHCP assignments on the wireless route each time they come home they can't connect to each other even though the internet connection works for all of them. That, plus ensuring the files they want to share are actually moving between "shared" folders seems to let them swap files around the lan.

 

[jason]

Putting your computer in your router's DMZ makes it TOTALLY VISIBLE (NO PROTECTION) to computers out on the big bad internet. It does exactly the opposite of what you're thinking. Hosts in the DMZ can't see the internal network, the Internet can see hosts in the DMZ, and internal hosts can see those in the DMZ.

http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

Home router DMZs work a little different than a "true" DMZ:



Get it out of the DMZ now!

That's not necessarily true. A true DMZ (not a home network DMZ) is a seperate network that is still behind a firewall. The purpose is just that you don't want computers on your protected LAN that have ports exposed to the outside world. When I want to open up a service inside of my DMZ I still have to poke a hole through my firewall.

I was wondering if anyone could help me out with an interesting problem. I plugged a wireless router into a wired network so that I could connect to that network with my laptop. I can get to the internet just fine with this setup, but I can't access any shares on other computers upstream of the router. Anyone have any thoughts? The router is a Netgear WGR614.

Thanks.

The problem that you're probably having is that your router is acting, well...like a router. You don't want it to do that, you just want it to connect you to the wired network. What port did you plug the cable into? If the answer is the WAN port, that is probably what your issue is. The best way to set it up would be to plug the cable into one of the switch ports in the back of the router. Before you do this, there are two very important steps that you must take.

1) Change the internal (LAN) of the wireless router to be a static IP address somewhere in the same range as your original (wired) LAN.
2) Disable the DHCP server in the router. You don't need it. Your other LAN should already have a DHCP server and you don't want two of them on the network.

If you set it up this way you'll be just like any other wired computer.

P.S. Don't forget to encrypt your wireless network.
P.P.S. If I just helped you bypass your IT department please disregard everything that I taught you.

 

[mikea]

Yeah, there's a full network on the other side of this. All I'm doing is plugging a wireless router in where I would just plug a computer in, in order to connect wirelessly. I'm not at all worried about opening any ports, because I'm already inside a network.

I just put my computer in the DMZ, that should take care of any port problems, right?

Based on an article I can't find to quote for you, I think my problem lays in the fact that a router won't forward an ARP packet, so I can't resolve the name of any windows computer to connect to. I may be able to just put an entry in the ARP cache, but I can't get in to find the server's MAC address right now.

My other option would be to simply VPN through the router to a computer on the other side, and work from there.

Any other thoughts would be appreciated.

You're right, a router cannot forward an ARP packet, but a switch does. That's actually how routers work. Switches and hubs and WiFi and ARPs work at layer 2. Routers are layer 3. Nevemind.

I've done this myself with my old NetGear WiFi router/firewall. You want the router/firewall/everything to work simply as a WiFi Access point.

You connect the switch ports of the two devices.

To do with that inside WiFi router you can ignore the "internet" port on it and just plug a cable from one switch port on your "outside world" router into
one "inside" switch port of this one. Thw switch ports are the ports 1-4 that are all together. You might need a crossover cable but possibly not,. You might find a X- selector switch for cascading switches on one of them or they might auto detect the other. If you get a green light on the ports on both sides you're set!

Since the switches and WiFi are all layer 2 you will be in business. What might not happen is the inside WiFi router might not get an IP address. You'd only need it to have one so you can connect to it to configure the WiFi settings.

When I did it the WiFi router picked up an IP address and gateway on the inside network through DCHP. I f that doesn't work you'll have to plug your laptop in to the second one (while it's not connected to the other, in case they both try to be 192.168.1.1) and use the web interface to manually set an IP address (NOT .1 you can use any number to .254) and the IP address of the outside router (.1) as the default gateway.

It should work so that DHCP requests are forwarded so that wireless clients get an addrees too.

Good luck!

http://72.14.203.104/search?q=cache...ter&hl=en&gl=us&ct=clnk&cd=3&client=firefox-a

 

[SkyHog]

Putting your computer in your router's DMZ makes it TOTALLY VISIBLE (NO PROTECTION) to computers out on the big bad internet. It does exactly the opposite of what you're thinking. Hosts in the DMZ can't see the internal network, the Internet can see hosts in the DMZ, and internal hosts can see those in the DMZ.

http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

Home router DMZs work a little different than a "true" DMZ:



Get it out of the DMZ now!

Don't you think that is a little excessive? Many people (myself included from time to time) operate with a computer as a DMZ. It is my opinion that even without a firewall of any type, people aren't gonna screw with ya if you're not the government or a research facility.

Why would someone want to look at, and/or modify the contents of my computer anyways? And if they do, why would I care?

 

[Skip Miller]

No, no, no... you misunderstand. This router never sees the big bad internet. I'm in a dorm. All I've done is plug the uplink port of my router into the network jack that's in my room. The resnet itself goes through a router before it sees the big bad internet. So my computer, even in the DMZ, shouldn't be any more exposed than if I were to plug it straight into the wall jack. Right?

If I understand this (and that is a stretch... ) you are protected from the 'net but you are vulnerable to anyone on the network. How big is that network? How many tech savvy people on the network? How many friends/enemys do you have? Just food for thought.

-Skip

 

[bluesky74656]

I How big is that network? How many tech savvy people on the network? How many friends/enemys do you have? Just food for thought.

-Skip

Small network, I'm the only tech-savvy one on it other than the admin, and I have only a few enemys.

It should work so that DHCP requests are forwarded so that wireless clients get an addrees too.

Is there a way to have it not forward DHCP?

P.P.S. If I just helped you bypass your IT department please disregard everything that I taught you.

Don't worry, I won't tell.

 

[jason]

Don't you think that is a little excessive? Many people (myself included from time to time) operate with a computer as a DMZ. It is my opinion that even without a firewall of any type, people aren't gonna screw with ya if you're not the government or a research facility.

I agree with you...if it were still 1998. Unpatched windows takes less than 5 minutes to compromise if connected directly to the internet. Have you gone through your logs to see just how many people are trying to brute force your linux box via SSH?

Why would someone want to look at, and/or modify the contents of my computer anyways? And if they do, why would I care?

One word. Botnet. They don't care about the contents of your computer, but it's very valuable to them.

 

[jesse]

Don't you think that is a little excessive? Many people (myself included from time to time) operate with a computer as a DMZ. It is my opinion that even without a firewall of any type, people aren't gonna screw with ya if you're not the government or a research facility.

Why would someone want to look at, and/or modify the contents of my computer anyways? And if they do, why would I care?

Bad idea.

It's not that someone wants to look at and or modify the contents of your computer. They want to use your computer to do bad. All it takes is someone finding a flaw in Windows and writing a worm to spread around to take advantage of it. It's completely automated and before you know it your computer is sending spam or calculating missile trajectories for Al qaeda. If you take Windows system that has fallen behind on some major updates and expose it to the Internet it won't last overnight.

If you take a look at some of the major worms that caused major problems with Microsoft systems you will notice that simply having them behind a router would have stopped it (Blaster, Sasser, etc).

If I get the time I will expose a Windows XP install to the internet over the weekend. We'll see how it's doing on Monday.

 

[gkainz]

If I get the time I will expose a Windows XP install to the internet over the weekend. We'll see how it's doing on Monday.

Tune in Monday for Jesse's episode of "Myth Busters" Sounds interesting, Jesse - looking forward to seeing your results.

 

[jesse]

Tune in Monday for Jesse's episode of "Myth Busters" Sounds interesting, Jesse - looking forward to seeing your results.

I'm installing XP in a virtual machine right now. I'll expose it on my home Comcast. We'll see soon enough.

 

[flyingcheesehead]

No, no, no... you misunderstand. This router never sees the big bad internet. I'm in a dorm. All I've done is plug the uplink port of my router into the network jack that's in my room. The resnet itself goes through a router before it sees the big bad internet. So my computer, even in the DMZ, shouldn't be any more exposed than if I were to plug it straight into the wall jack. Right?

Depends. A "router" can be anything from the small type you're plugging in, on up to the big Cisco beasties that handle HUGE amounts of traffic. The "big bad Internet" is made up of... Routers!!!

If the small one you have is a "NAT router" (Network Address Translation, takes your one IP number upstream and then shares it among several computers, usually handing out 192.168.1.* numbers to those computers) then you're protected from the outside world, provided you don't forward any ports and don't open up the DMZ.

However, a router of the sort large enough to handle an entire dorm is possibly, IMHO likely, to be handing out "real" IP numbers. What does that mean? The fact that there's a router is meaningless. There HAS to be a router, that's how the Big Bad Internet works.

If you plug your computer directly into the network port in your room, what IP number do you get? If it's 192.168.1.* or 10.* you're probably OK. Otherwise, you are probably exposing your computer to the entire Internet - Not OK.

 

[bluesky74656]

If you plug your computer directly into the network port in your room, what IP number do you get? If it's 192.168.1.* or 10.* you're probably OK. Otherwise, you are probably exposing your computer to the entire Internet - Not OK.

We're definitely 10.*. I think, with all of your help, I may have this one figured out. I'll try it when I get a chance and let you know.

 

[Greebo]

I'm installing XP in a virtual machine right now. I'll expose it on my home Comcast. We'll see soon enough.

Opening up the full port range on the router? It would be good if you could keep logs of all accesses and file activity over the weekend, though that may be way too much to maintain reasonably.

 

[Greebo]

Oh, and is this a gold code install of XP or one that's been fully updated via Windows Update first?

 

[jesse]

Oh, and is this a gold code install of XP or one that's been fully updated via Windows Update first?

No. Default windows install w/ SP1. No options or settings changed.

Do you honestly think that most users are up to date on updates? If there is a tech in a call center telling people to set themselves as DMZ this will be an example of what will happen.

I'm willing to bet if I installed all the latest windows updates and turned automatic update on it would make it through the weekend. With enough time though it would be infiltrated (Blaster, etc) are a good example of this.

I took screenshots of the process list before exposing it. I also made an image of the system so I can compare them later.

 

[mikea]

No. Default windows install w/ SP1. No options or settings changed.

Do you honestly think that most users are up to date on updates? If there is a tech in a call center telling people to set themselves as DMZ this will be an example of what will happen.

I'm willing to bet if I installed all the latest windows updates and turned automatic update on it would make it through the weekend. With enough time though it would be infiltrated (Blaster, etc) are a good example of this.

I took screenshots of the process list before exposing it. I also made an image of the system so I can compare them later.

SP1?

I think I've read tests at some sites where the system was powned in 20 minutes or so - certainly in less than an hour, even without running IE to browse.

Yep!
http://it.slashdot.org/article.pl?sid=04/08/17/1347214&tid=172

Can we have a pool?

 

[Greebo]

No. Default windows install w/ SP1. No options or settings changed.

Do you honestly think that most users are up to date on updates? If there is a tech in a call center telling people to set themselves as DMZ this will be an example of what will happen.

Probably not, but I do think Windows asks about setting up automatic updates. I might be mistaken. I do think there are a decent number of users who at least try, these days, to keep up to date just because of the major news that keeps coming out.

That said, you should run TWO tests then - one out of the box, and one with the latest updates. Otherwise you're basically setting up a test that you already know is bogus. The security updates are out there, so why test what you already know is bad?

 

[mikea]

Probably not, but I do think Windows asks about setting up automatic updates. I might be mistaken. I do think there are a decent number of users who at least try, these days, to keep up to date just because of the major news that keeps coming out.

That said, you should run TWO tests then - one out of the box, and one with the latest updates. Otherwise you're basically setting up a test that you already know is bogus. The security updates are out there, so why test what you already know is bad?

What the security orgs are saying is you can't get the updates before you get powend, especially if you aren't up to SP2 in the first place.

You have to have an SP2 install before you put the net on it and I only plug in behind a firewall. I suppose the Windows firewall might work, but that isn't present in SP1. Installing a third party one like Kerio or Zonealarm pre-connect should do it.

 

[jesse]

That said, you should run TWO tests then - one out of the box, and one with the latest updates. Otherwise you're basically setting up a test that you already know is bogus. The security updates are out there, so why test what you already know is bad?

I'm setting up a potential real world situation if you go telling people to set themselves as DMZ without reviewing their system. I can test it with SP2 and updates next week or something.

 

[SkyHog]

Ahh, I'd never tell someone who isn't comfortable with their computer to operate in a DMZ, ever. I would only say that freaking out about how dangerous the big bad internet is is a little excessive.

I'm curious how bad this will be too, Jesse. FWIW - I operate in a DMZ often enough that if anything happens to your computer, it has probably happened to mine as well, and I'm suspecting that short of a bunch of light attempts to get in, you won't find much happening if you use SP2 with all of the current security updates.

And I'd never tell a customer to do this over the phone, there's no reason for a person to be outside of a firewall if they don't know what they're doing.

 

[gismo]

No, no, no... you misunderstand. This router never sees the big bad internet. I'm in a dorm. All I've done is plug the uplink port of my router into the network jack that's in my room. The resnet itself goes through a router before it sees the big bad internet. So my computer, even in the DMZ, shouldn't be any more exposed than if I were to plug it straight into the wall jack. Right?

My problem is that even in the DMZ, the router is still filtering stuff.

Personally, I'd consider a dorm wide network to be worse than "the big bad internet". Nothing like a fast local connection to a bunch of vulnerable computers. Also a wireless network itself is a security risk unless you are very careful IMO.