?
Solved

watchguard firebox soho6 setup problem, some xppro systems cant access internet, some can

Posted on 2006-04-16
8
Medium Priority
?
535 Views
Last Modified: 2013-11-16
I just replaced an old belken one port router with a soho 6 firewall router.  my old setup was dhcp provided by router, and dns by the ip (i assume, since i am new to this, i just set all the xp pro computers to obtain ip and dns server address automatically and it worked fine).  Now, the dhcp works fine, provided by the soho6, xp systems get ip automatically, trusted network ok - all can see each other.  the problem is the internet access.  some systems can get out, some cant.  every one of the ones that cannot will access internet when i reboot the router.  but then they wont later.  I have set up dns on my win2k3 server, no help.  did a hard reset on the soho6 and reset all configuration settings, no help.  on the soho 6 it is set for dhcp enabled, dhcp relay not checked, i put the dns server address for my isp in the trusted network screen where it asks for the primary and secondary dns. and put in my dns domain suffix the wins server is left blank.  When i scan the network i dont see any ip conflicts, and the two printers on the network that have static ip address are turned off.   I have worked on this for an entire day, got so discouraged that i went to reinstall my old belkin, but it has died!  So - is anyone out there with an idea this Sunday morning??  I read all the watchguard entries but did not find anything that seemed to help.   Also, after trying the dns setup on my server, since it did not help, i removed that service on the server, so its now just a file server.  
0
Comment
Question by:195ecentralave
  • 5
  • 3
8 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16464205
For DNS with the WatchGuard if your connection to the ISP gets an IP using DHCP you shouldn't have to do anything. If you have a static IP you should only have to enter your primary and secondary DNS servers on the "External" web page of the routers management console.
Once you have done this rebooting the PC or running   ipconfig  /flushdns  should allow computers to get the new DNS entries. If they are using the old IP's after rebooting check your DNS configuration on the server (see below)

HOWEVER, if you are running Server 2003 you would have better performance and far greater management capabilities by disabling DHCP on the router and configuring DNS and DHCP and DNS on the server. This allows for proper name resolution and dynamic updating of Active Directory, if you are using it. also it gives you far greater control of your DHCP options.:

DNS
Below is a link on initial set up of DNS and DHCP. Make sure you check the following.
-The server's NIC should be configured with a static IP, the Internet router as the gateway, and only the server itself as the DNS server. Do not use an ISP DNS server here
-Each workstation should be configured using DHCP (obtain and IP address and DNS automatically) or if configured with static addresses; a static IP in the same subnet as the server, same subnet mask as the server, the gateway pointing to your Internet router, and the DNS server pointing ONLY to the server/domain controller. Again do not put an ISP's DNS server here
-In the DNS management console under Administrative tools, right click on the server name and choose properties. On the Forwarders tab add your ISP's DNS servers

DHCP
-In the DHCP management console on the server under Administrative tools and click on the server name to expand it, click on the scope to expand it, right click on scope options and choose configure options. On the general tab add the Internet router's IP in #003 router and the server's IP in #006 DNS Servers

http://www.petri.co.il/install_and_configure_windows_2003_dns_server.htm
http://www.windowsnetworking.com/articles_tutorials/DHCP_Server_Windows_2003.html
0
 

Author Comment

by:195ecentralave
ID: 16464312
i do have a static ip on my server, since i run an inhoue imap program called groupmail that requires it.  When i configured the dns on my server (and looking at the event log it appeared to be working ok, i rebooted and it said it started the service and i had no error indications) basically i had the same problems, some xp pro computers (when i setup the dns on the server i went in to the xp pro computers on the network and changed their dns to look at the server's ip address, and perhaps this was not necessary)  could get to the internet, some not.  all could if i rebooted teh soho6.  
If i am going to have one (the server) static ip, will i still need to enter the primary and secondary dns in the router trusted network configuration or not? If there are entries there, will it cause a problem?
All these computers worked fine before (and i did not really know what a dns was) so i think somehow the router/firewall is not set up right.
Due to my limited knowledge i have been reluctant to set up dhcp dns and ad on my server.
should i just clear out the dns entries on the trusted network page and set all computers to obtain the dns automatically? and what about the setting in the internet expolorer, lan settings that asks about  automatic settings, will that affect only the inhouse network or the internet too?
thanks for the help!
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16464363
Make sure you look at   ***** below.

>>"changed their dns to look at the server's ip address, and perhaps this was not necessary)"
Absolutely necessary.

>>"could get to the internet, some not. "
Make sure the forwarders in DNS (not forward look up zones) is configured correctly

>>"If i am going to have one (the server) static ip, will i still need to enter the primary and secondary dns in the router trusted network configuration or not?
I was looking at an older SOHO, it wasn't an option, but no, if DNS is configured on the server you will not need to add there.
>>"If there are entries there, will it cause a problem?"
You can add them, that is fine. There will be no conflict, so long as they are correct. You can even make your own DNS server the primary then and just add 1 ISP's as secondary

*****  >>"so i think somehow the router/firewall is not set up right." *****
If some can connect and others can't, and then they can connect after rebooting the router it could be a license issue. The WatchGuard will only allow 10 users to connect to the Internet, unless you purchase and install a license upgrade. Rebooting the router resets the counter. It also remembers the specific computers so it is not 10 concurrent users, but rather the first 10 to try to connect.

>>should i just clear out the dns entries on the trusted network page and set all computers to obtain the dns automatically? "
You can. I assume you mean the Primary and secondary DNS IP's. If so you can use just the server for DNS

>>"what about the setting in the Internet explorer, LAN settings that asks about  automatic settings, will that affect only the inhouse network or the internet too?"
Not sure I fully understand the question. If DHCP enabled on the workstations they will get all configuration from the DHCP server whatever it is.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 16464397
I am going to be out for the next 4-6 hours. This sounds like it is the license issue above. You can view the connected users under the Network page, and the number of licenses on the Status page. If this is the issue and you have the license, to install; on the status page next to licenses click upgrade and insert the key as requested. You need to have the unit registered on line with WatchGuard. Once you have created an account, you can buy licenses on-line as well if you need to.
--Rob
0
 

Author Comment

by:195ecentralave
ID: 16466388
I see the users ip addresses on the network page. I thought that the limit of 10 seats was for concurrent active internet connections, so that if a person logged off the internet, their "seat" would open.  I have 14 actual xp systems on the network all of which will at one point or another be connected to the internet, but never more than 10 at a time.  And, as I have been testing this setup, I am pretty  sure that after I logged on to test the internet connection I exited internet explorer.  
But if,  once connected to the internet, the soho kept a record of the ip address of the computer that logged on, and never opened the seat so long as the computer's ip was active in the dhcp list (which would always be the case at my office, since we never turn the computers off, even at the end of the day) even after the computer exited internet explorer, a soho reboot making the seats available would seem to explain the situation.  I did not get a chance to test it tonight by counting the computers one by one but I will do that tomorrow.  
Any other thoughts??
thanks,
Rick
 
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16466688
I have used numerous WatchGuards and I can assure you if you have 14 XP machines, and 10 licenses it will not work. The Belkin probably had unlimited users, and some routers have concurrent users/licenses, but the WatchGuard accept the first 10 connections and that is it. The user may not even access the Internet, if it requests a DHCP IP from the WatchGuard, Windows update tries to contact Microsoft, virus software checks for updates, or any other connection with the WatchGuard it will record the IP of the device and only allow the first 10. You can likely ping the Internet from any computer, but when you try to browse from a computer not on that list you will be blocked. Powering off and on the router resets the counter/list to 0.

You can buy a 10 to 25 user upgrade for your unit. Should be this item I believe:
http://pcworld.pricegrabber.com/search_getprod.php/masterid=238884
However to activate you must be registered with WatchGuard (free) and have an active LiveSecurity Service, which is $99 US if you do not have one. The LiveSecurity Service is included when you purchase a new unit, but you need to activate with your registration.
https://www.watchguard.com/account/register.asp
0
 

Author Comment

by:195ecentralave
ID: 16473332
It was the license.  

I was incorrectly informed by someone who thought they knew that the soho will automatically "free" a seat so that there can be 10 concurrent, but changing, active internet connections.  Not the case.
Also, I was able to order an upgrade through guardsite.com and get the license issued to me by email.  it took about 6 hours.  

And, I activated my unit, which I bought used on the interenet, wtihout paying for anything else, but i noticed that it expires this july, which is not one year from my activation today.  So, the fellow who sold it to me and represented that it was never registered may be mistaken.

I was able to watch the connections increase on the network page one at a time, bring up ie on each one and reached 10 and that was it.  So, you are exactly 100% correct.

Thanks for the great assist!
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16473638
You are very welcome. Glad to hear you have been able to resolve.
Technically you don't need to renew the LiveSecurity Service which you say runs out in July. However, if you ever reset the unit back to factory defaults you need to have an active LiveSecurity Service contract to be able to reinstall your License upgrade. Just so you know.
I like the WatchGuards, good dependable units.

Thanks 195ecentralave,
--Rob
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month17 days, 10 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question