-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WSD between Vlan's #85
Comments
Interesting problem. Here's what I can tell from the logs and your screenshots
In both cases ("Hello" and "Probe") the message interchange appears to be interrupted. It looks as if the flow from the wsdd host to Windows is interrupted. The opposite direction appears to work since the Probe message is received by wsdd (at least for IPv4). For me it looks like the firewall setup is not correct. I cannot judge on the Opnsense configuration if it really allows all traffic for either address family. Please also note that you must allow TCP traffic for port 5357 on the wsdd machine as well. |
Well, you brought me to the idea to make a complete "working" log first. As far i understood after this probe, the windows computer should contact wsdd on port 5357. So i need to debug this 🙈 Can be igmp snooping on a switch a problem? Thank you very much. You gaved me good hints! |
No. There are two message flows to distinguish here: Announcement at Startup with Hello
General Discovery
You can find a picture for that here: https://docs.microsoft.com/en-us/windows/win32/wsdapi/discovery-and-metadata-exchange-message-patterns Note that the "Hello" flow is not fully shown there.
That could actually be a problem. I don't know how multicast group membership is handled between VLANs... or (to put it in another way) if a membership to the same group is even possible when hosts are on different VLANs and there is "converter" in between.
Good idea to remove simplify the problem.
🇩🇪 Gerne 😉 |
Hehe, hab schon mitbekommen das du deutschsprachig bist 😂 Back to english. However, i tested today a bit, but don't have enough energy left to find the problem. It's definitively something with the opnsense. However, i will find out, get it running and post the solution. Thanks and good evening ✌️😂 |
Tryed today a virtual setup with ipfire/openwrt. And i tryed a full virtual setup on proxmox (win10+openwrt/opnsense+wsdd), to get the physical switches out of the way 🤣 Nothing helped, and everything in the stupid firewall logs is green (allowed). Seems for me like the windows host somehow ignores or doesn't reply to the probe, if it doesn't comes from a network that windows doesn't know 🤣 (from gw) Well, i need somehow to debug what windows does exactly, but I don't know how 🙈 Is there maybe any linux way? Like in theory i could let talk wsdd with wsdd on different vlans? Or anything else that would make my tests easier? |
Have you tried to eliminate openwrt/opensense an putting Win10 on the same VLAN. This would ensure that the setup actually works. If not the issue might not be firewall
It could be that Windows actually ignores messages from networks it does not "know". Are the Windows host and the wsdd machine on the same IP network (layer 3) although they are on different VLANs (layer 2)? Or to put in another way: What are the IP addresses (plus "netmask") of the Server/wsdd machine and the Windows host? |
Sorry, i didn't seen that you replyed 🤦♂️ However, in short: Vlan 24 - 192.168.24.0/30 (Transfer Wan for pppoe) This is quite simple home setup, just sounds super complex 😂 The samba server is on (25) Well if both are on the same network (L2) / aka same vlan, wsdd works perfectly. I see the linux server even before everything else in the windows network discovery 🤣 If they aren't on same vlan (different networks / L3), wsdd doesn't work. Usually there are multicast reflectors, that reflect multicast from one network to another. All what it does is: However, with the udpbroadcastrelay, wsdd sees the probe from windows and is replying to it. Without udpbroadcastrelay, there is nothing, not even a probe. This makes absolutely sense, because both vlans are own broadcast/multicast domains. For example if you ping 255.255.255.255 on vlan 25, nothing of vlan 27 would answer, cause 2 different networks 🙈 But aside from broadcast/unicast/multicast, which are naturally layer 2 cant work without "reflectors" between 2 networks, layer 3 communications (ip) can reach everything between both networks. There is no nat or anything between. So basically, i need to make multicast/unicast/broadcast working between wsdd and the w10 clients, because for everything else they can communicate with each other. Probably there is more involved in wsdd, other as 239.255.255.250 on port 3702. Sorry if my explanation sounds like for idiots 🤦♂️ |
Ah one other thing. Udpbroadcastrelay doesn't support ipv6 🤦♂️ But all my networks are properly ipv4 & v6 configured. Means on layer 3 everything with ipv6 is reachable by everyone between the networks. However, i tested this either, disabled on w10 the ipv6 stack and it doesn't change anything 🙈🤣 |
OK. Then let's stick with IPv4 in the discussion.
Do they share the same IPv4 address range in that case or do the hosts have are different address ranges as listed above, so from different IPv4 subnets. I ask because if they are from different subnets the routing must work correctly. Let's recap a little: When the hosts are on different VLANs, we see that multicast traffic arrives from Windows (Probe) and - as pointed out above - the flow is interrupted after the ProbeMatch is sent (at least the wsdd log lets me conclude that). So the question is: Where or why does this message disappear? Up to now, we don't know if the ProbeMatch arrives on the Windows host. It doesn't look so, because the subsequent Resolve message does not appear in the wsdd log, but - again - we don't know if ProbeMatch really arrives. I would suggest to check for this fact now. Maybe you can install wireshark on a Windows machine and check for UDP traffic that was sent from port 3702. You may use the filter In you initial post you mentioned that
However, looking the screenshot from the config again it appears to me that UDP/IPv4 traffic is only allowed for specific port unrelated to wsdd. Further, only traffic coming from the user net is allowed, but what about traffic from user net to the server net? I ask this again because I have no experience with Opnsense but from my nft/iptables knowledge I would assume no packets to the server net are allowed given a reject policy. |
Maybe i make it a bit easier :-) Wireshark: Wireshark cut, of exactly one refresh in windows explorer: So the message arrives from wsdd xD |
Only a little 😉 For me, the last two rules only allow traffic from the same network, e.g. source address is from LAN User (192.168.27.0/24), but what about the other networks? Regardless of this, the reason for the issue maybe really is Windows since the ProbeMatch message arrives at Windows.
After seeing the dump and excluding the firewall as a potential blocker of the ProbeMatch message, my impression is that Windows is actually involved here. The whole WSD thing is for service discovery on your local network. The Linux server and the Windows client are on different networks from the Windows perspective. Thus, wsdd replies to a Probe request from a network that Windows assumes is not the local one - and from IP address perspective this is actually true. Remember that you already had to do a handstand by reflecting the multicast traffic to another, i.e. non-local, network. Apparently this works but windows appears to be "smart" enough to check that a reply is not coming from the local network. I fear that nothing can be done from the wsdd side here.
That would be interesting. If it really works on the Linux subnet, another pcap dump would be really appreciated. 😉 Btw, wsdd has a discovery mode which can be used to search for Windows or Linux hosts running wsdd. However, wsdd is (currently) not doing such "smart" checks whether the address is from the local net or not. If you place a Linux machine in your VLAN 27/Users net and launch the discovery mode you may see the Linux hosts from the other network. To be fair: This won't really help you to convince Windows that is should detect the hosts as well. But it would be interesting to see if it works. |
I will do another pcap, no problem, but a bit later, cause i think i know what the problem is xD I understand now what you mean, don't compare the rules above with iptables :-) The picture above is LAN_USER, imagine LAN_USER as an interface port, that means "LAN_USER net" as source on LAN_USER interface, its same as this: in theory, i can exchange "LAN_USER net" with a wildcard, since the source on that interface can anyway be only 192.168.27.xx... However, the Rules in the LAN_SRV section are identical, just with "LAN_SRV net"... which i can replace with an wildcard wither xD Did the wildcard now for you, that you feel better, but it doesn't changes anything xD about the issue that windows ignores the probereply, you might have absolutely right, im googling right now, maybe i find something xD And i found this here: http://ws4d.org/dpws-explorer/ Im cloning a vm right now, to play with that tool, cause i don't want to install java on my pc xD However, need a bit time xD |
Okay in short, i found a major issue on freebsd (opnsense/pfsense). Which gooes back to freebsd bugs with q35 passthrough (passing through sr-iov intel virtual ethernet nics). However that has nothing with this here todo, just that i have multiple problems, and not able to test everything fast out 🙈 However, i had half success, original windows servers can't see each other either on different vlans. Printer is not discoverable either between 2 vlans. I was able to get it working in a virtual environment, with some dirty hacks and macvtap bridge. But that's inside proxmox and basically i mirrored a port from one vlan inside another vlan, that's like a short of multicast networks 😂 But i will dig today later. The tool above didn't worked btw. It works but not for wss. There are some security implementations and whatever 🤦♂️😂 |
Ok, looks like Windows is behaving consistently to ignore hosts from other VLANs/"non-local" IP addresses. Overall, wsdd is obviously not the cause of your issue 😀
In the Windows SDK there is tool named I'm closing this issue since wsdd is not the cause here (see above), but I'm happy to discuss it further... |
I told you in the beginning, that's it's not a wsdd bug already 🙈 Wsdd works pretty perfect. If i get my windows clients working and wsdd won't, then it is a bug, but otherwise 😂 However, thank you very much for all the help, if i find a solution, i will post it here. But there is a way to enable debugging, exactly for wsd and do a windows explorer refresh. Just the output (the logfile) is something microsoft specific crap that you can't really read 🙈 However, additionally to all that, i didn't took really some hours in the last days, to sit and try everything out and test etc. Cause of yeah, i have to work either and am a bit time limited. However, i will get it solved at some point. Will reply then. Thank you very much for all the help! Cheers ✌️ |
Yes, but you never know... 😉
Great.
Oh it works quite well for me. Just launch it from the command line (or directly from Explorer/shell) and put the thing into discovery or metadata mode (
You're welcome. |
Hey @christgau , after an eternity, i found out what the exact issue is 😂 If the discovery package comes from an unknown network, or not from the same network as the windows client is, windows won't reply and ignore it simply. There may be a way to get it still working, but that requires some changes in udpbroadcastrelay. In short udpbroadcastrelay needs to act like a proxy instead of a relay. (That's in case for opnsense/pfsense) That means simply, that there is currently no solution to this. Cheers and thanks for your work! ✌️ |
Hi, im sorry, but i can't fix it myself and gaved up now the debugging :-(
And im pretty sure that it is not an bug either, but however, in short:
My Setup:
Server (with VMs + opnsense) <--> Dumb Switch (has only multiple vlans but doesn't route between them) <--> Win10 PC
Or Simpler:
Samba-Srv (Vlan 25) --> (Vlan25) OpnSense (Vlan 27) --> Dumb Switch --> W10 PC
On the OpnSense i do the Multicast reflection with "udpbroadcastrelay"
This Service listens on port 3702 and reflects everything between this both Multicast Domains (of Vlan25+27)
This seems working, have testet it with socat + "wsdd -vv"
Without that "udpbroadcastrelay" i receive nothing on the samba server. And with it, i get the XML and wsdd seems even to respond.
But yeah, nothing shows up in the windows explorer.
If i move the PC to Vlan 25 (where samba-srv is)... Well, its working all perfect xD
But i don't get what i miss, i mean the reflection seems working and the firewall is completely open for IPv4+6 between Vlan25 & 27.
However, Logs from socat + logs from wsdd are attached +3 screenshots from the opnsense.
Sorry to bother, i know that it is a layer 8 problem, but probably you have some ideas :-)
Thanks :-)
-> Logs:
Logs.txt
The text was updated successfully, but these errors were encountered: