[PLUG] Mysterious Windows network...

[michael]

I have a shop to put an embedded system into that uses it's own RFC1918 
private network called SteadyShot.  All I know for sure is that
there is another network, RFC1918, on the other side of SteadyShot's 
Netgear based wireless router.  This other network is presumably
Windows based and probably runs Windows 10 or better.  In other words, I 
know absolutely nothing about this Windows network.  The
embedded system needs a special text file that is ordinarily stored on a 
share in this Windows network.  I envision a samba share in a
workgroup that is for the embedded system will need to be accessible to 
people on the Windows network so that they can copy truss files
to it.  By making a Windows style share available on the embedded system 
running Raspbian, I get around having to run software on the
client's Windows machines or ask for a login and password and do a CIFS 
mount.

What needs to be done if the mysterious Windows network is set up in 
varying ways?  It could be an Active Directory
network, a workgroup, a homegroup, or a domain.  Whatever it is, this 
mysterious Windows network needs to see the samba share in the embedded
workgroup and be able to access it.  I could ask for a low privilege 
account in the mysterious network, but I prefer to provide a share
instead and have people in this other network copy what is needed to 
that share.  I'm not the administrator of the customer's Windows 
network,
so I am in no position to request any configuration changes to that 
network to accommodate accessing the SteadyShot system.  I should 
probably
let the customer choose the name of the SteadyShot workgroup and other 
credentials through a web interface.  Preferable if uploading truss 
files
from say drive N in the Windows network to /home/pi/trusses on the 
Raspbian Stretch controller can be automated as well.

I'm concerned that ports 137, 138, 139, and 445 need to cross the 
Netgear router for people in the mysterious Windows network to access 
the
SteadyShot Samba share.  This isn't ideal.  Suggestions on a better 
approach than letting all those ports through is most welcome.  Realize
that there has to be Internet access for SteadyShot router which is 
hooked to the mysterious Windows network.  Opening ports can be a major
security headache where there is a high likelihood that the customer 
will say no.

I want to replace the Netgear with a Pi 3 running hostap, high gain 
antennas, and an iptables firewall. Building a router for less than 
$30...
I don't see that happening.  A custom more expensive router is going to 
be a very hard sell, but done right I could solve solve some security
problems and performance problems.  I don't think something better than 
the Netgear R6020 is going to cost less than $150 in parts alone.  Note
that I can add a real time clock and run openvpn.  I am concerned about 
what antenna to get to plug into the Pi 3 usb on both Pi's.  Planning
on building both the controller and router into one enclosure.  The only 
proprietary piece will be the controller program which needs to be
protected.  Controller belongs to the company I work for.  The R6020 
doesn't have enough gain or maybe it's an antenna problem...  The box 48
feet away and 15 feet or so up has problems getting on the wifi.  The 
obvious answer is a better router that is more capable, but that 
potentially
hurts the profitability of the whole system.