It sounds like you have 2 networks that you want to connect, that are different IP space (this requires a router), or the same IP space (this requires a router with NAT). What runs on the networks isn't particularly important at this step. If you're going to use a firewall on this router, you will need to allow UDP 137-138 and TCP137,139,445 to pass through in the appropriate direction (if the firewall is stateless, this gets more complicated. Hopefully you don't have this problem) for Windows file shares. If you are doing NAT, you'll also need to make sure that the ports are properly NATd to the destination. Depending on how restrictive the firewall is, you may have to allow ports regardless of whether you connect to a remote share, or remote people connect to your device.
They may wish you to join your host to their ActiveDirectory. In this case, I'd read up on how to do that with Samba. Last I talked with people about it, it was non-trivial. They may not. In that case, you either need to allow anonymous access (r/w), or create local accounts for all the people who will need to access the system (might be easier to bind it to AD, where you get that for free, also, they manage access instead of you). I think that building a custom router is unlikely to be cheaper medium/long term but there may be other advantages. You should probably come up with a list of reasons for/against so you can better understand the cost/benefit analysis of what you want to do. > On Mar 16, 2018, at 1:59 PM, michael <[email protected]> wrote: > > I have a shop to put an embedded system into that uses it's own RFC1918 > private network called SteadyShot. All I know for sure is that > there is another network, RFC1918, on the other side of SteadyShot's Netgear > based wireless router. This other network is presumably > Windows based and probably runs Windows 10 or better. In other words, I know > absolutely nothing about this Windows network. The > embedded system needs a special text file that is ordinarily stored on a > share in this Windows network. I envision a samba share in a > workgroup that is for the embedded system will need to be accessible to > people on the Windows network so that they can copy truss files > to it. By making a Windows style share available on the embedded system > running Raspbian, I get around having to run software on the > client's Windows machines or ask for a login and password and do a CIFS mount. > > What needs to be done if the mysterious Windows network is set up in varying > ways? It could be an Active Directory > network, a workgroup, a homegroup, or a domain. Whatever it is, this > mysterious Windows network needs to see the samba share in the embedded > workgroup and be able to access it. I could ask for a low privilege account > in the mysterious network, but I prefer to provide a share > instead and have people in this other network copy what is needed to that > share. I'm not the administrator of the customer's Windows network, > so I am in no position to request any configuration changes to that network > to accommodate accessing the SteadyShot system. I should probably > let the customer choose the name of the SteadyShot workgroup and other > credentials through a web interface. Preferable if uploading truss files > from say drive N in the Windows network to /home/pi/trusses on the Raspbian > Stretch controller can be automated as well. > > I'm concerned that ports 137, 138, 139, and 445 need to cross the Netgear > router for people in the mysterious Windows network to access the > SteadyShot Samba share. This isn't ideal. Suggestions on a better approach > than letting all those ports through is most welcome. Realize > that there has to be Internet access for SteadyShot router which is hooked to > the mysterious Windows network. Opening ports can be a major > security headache where there is a high likelihood that the customer will say > no. > > I want to replace the Netgear with a Pi 3 running hostap, high gain antennas, > and an iptables firewall. Building a router for less than $30... > I don't see that happening. A custom more expensive router is going to be a > very hard sell, but done right I could solve solve some security > problems and performance problems. I don't think something better than the > Netgear R6020 is going to cost less than $150 in parts alone. Note > that I can add a real time clock and run openvpn. I am concerned about what > antenna to get to plug into the Pi 3 usb on both Pi's. Planning > on building both the controller and router into one enclosure. The only > proprietary piece will be the controller program which needs to be > protected. Controller belongs to the company I work for. The R6020 doesn't > have enough gain or maybe it's an antenna problem... The box 48 > feet away and 15 feet or so up has problems getting on the wifi. The obvious > answer is a better router that is more capable, but that potentially > hurts the profitability of the whole system. > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug -- Louis Kowolowski [email protected] Cryptomonkeys: http://www.cryptomonkeys.com/ Making life more interesting for people since 1977 _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
