watchguard firebox soho6 setup problem, some xppro systems cant access internet, some can

I just replaced an old belken one port router with a soho 6 firewall router.  my old setup was dhcp provided by router, and dns by the ip (i assume, since i am new to this, i just set all the xp pro computers to obtain ip and dns server address automatically and it worked fine).  Now, the dhcp works fine, provided by the soho6, xp systems get ip automatically, trusted network ok - all can see each other.  the problem is the internet access.  some systems can get out, some cant.  every one of the ones that cannot will access internet when i reboot the router.  but then they wont later.  I have set up dns on my win2k3 server, no help.  did a hard reset on the soho6 and reset all configuration settings, no help.  on the soho 6 it is set for dhcp enabled, dhcp relay not checked, i put the dns server address for my isp in the trusted network screen where it asks for the primary and secondary dns. and put in my dns domain suffix the wins server is left blank.  When i scan the network i dont see any ip conflicts, and the two printers on the network that have static ip address are turned off.   I have worked on this for an entire day, got so discouraged that i went to reinstall my old belkin, but it has died!  So - is anyone out there with an idea this Sunday morning??  I read all the watchguard entries but did not find anything that seemed to help.   Also, after trying the dns setup on my server, since it did not help, i removed that service on the server, so its now just a file server.  
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
For DNS with the WatchGuard if your connection to the ISP gets an IP using DHCP you shouldn't have to do anything. If you have a static IP you should only have to enter your primary and secondary DNS servers on the "External" web page of the routers management console.
Once you have done this rebooting the PC or running   ipconfig  /flushdns  should allow computers to get the new DNS entries. If they are using the old IP's after rebooting check your DNS configuration on the server (see below)

HOWEVER, if you are running Server 2003 you would have better performance and far greater management capabilities by disabling DHCP on the router and configuring DNS and DHCP and DNS on the server. This allows for proper name resolution and dynamic updating of Active Directory, if you are using it. also it gives you far greater control of your DHCP options.:

Below is a link on initial set up of DNS and DHCP. Make sure you check the following.
-The server's NIC should be configured with a static IP, the Internet router as the gateway, and only the server itself as the DNS server. Do not use an ISP DNS server here
-Each workstation should be configured using DHCP (obtain and IP address and DNS automatically) or if configured with static addresses; a static IP in the same subnet as the server, same subnet mask as the server, the gateway pointing to your Internet router, and the DNS server pointing ONLY to the server/domain controller. Again do not put an ISP's DNS server here
-In the DNS management console under Administrative tools, right click on the server name and choose properties. On the Forwarders tab add your ISP's DNS servers

-In the DHCP management console on the server under Administrative tools and click on the server name to expand it, click on the scope to expand it, right click on scope options and choose configure options. On the general tab add the Internet router's IP in #003 router and the server's IP in #006 DNS Servers
195ecentralaveAuthor Commented:
i do have a static ip on my server, since i run an inhoue imap program called groupmail that requires it.  When i configured the dns on my server (and looking at the event log it appeared to be working ok, i rebooted and it said it started the service and i had no error indications) basically i had the same problems, some xp pro computers (when i setup the dns on the server i went in to the xp pro computers on the network and changed their dns to look at the server's ip address, and perhaps this was not necessary)  could get to the internet, some not.  all could if i rebooted teh soho6.  
If i am going to have one (the server) static ip, will i still need to enter the primary and secondary dns in the router trusted network configuration or not? If there are entries there, will it cause a problem?
All these computers worked fine before (and i did not really know what a dns was) so i think somehow the router/firewall is not set up right.
Due to my limited knowledge i have been reluctant to set up dhcp dns and ad on my server.
should i just clear out the dns entries on the trusted network page and set all computers to obtain the dns automatically? and what about the setting in the internet expolorer, lan settings that asks about  automatic settings, will that affect only the inhouse network or the internet too?
thanks for the help!
Rob WilliamsCommented:
Make sure you look at   ***** below.

>>"changed their dns to look at the server's ip address, and perhaps this was not necessary)"
Absolutely necessary.

>>"could get to the internet, some not. "
Make sure the forwarders in DNS (not forward look up zones) is configured correctly

>>"If i am going to have one (the server) static ip, will i still need to enter the primary and secondary dns in the router trusted network configuration or not?
I was looking at an older SOHO, it wasn't an option, but no, if DNS is configured on the server you will not need to add there.
>>"If there are entries there, will it cause a problem?"
You can add them, that is fine. There will be no conflict, so long as they are correct. You can even make your own DNS server the primary then and just add 1 ISP's as secondary

*****  >>"so i think somehow the router/firewall is not set up right." *****
If some can connect and others can't, and then they can connect after rebooting the router it could be a license issue. The WatchGuard will only allow 10 users to connect to the Internet, unless you purchase and install a license upgrade. Rebooting the router resets the counter. It also remembers the specific computers so it is not 10 concurrent users, but rather the first 10 to try to connect.

>>should i just clear out the dns entries on the trusted network page and set all computers to obtain the dns automatically? "
You can. I assume you mean the Primary and secondary DNS IP's. If so you can use just the server for DNS

>>"what about the setting in the Internet explorer, LAN settings that asks about  automatic settings, will that affect only the inhouse network or the internet too?"
Not sure I fully understand the question. If DHCP enabled on the workstations they will get all configuration from the DHCP server whatever it is.
Are You Protected from Q3's Internet Threats?

Every quarter, WatchGuard's Threat Lab releases a security report that analyzes the top threat trends impacting companies around the world. For Q3, we saw that 6.8% of the top 100K websites use insecure SSL protocols. Read the full report to start protecting your business today!

Rob WilliamsCommented:
I am going to be out for the next 4-6 hours. This sounds like it is the license issue above. You can view the connected users under the Network page, and the number of licenses on the Status page. If this is the issue and you have the license, to install; on the status page next to licenses click upgrade and insert the key as requested. You need to have the unit registered on line with WatchGuard. Once you have created an account, you can buy licenses on-line as well if you need to.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
195ecentralaveAuthor Commented:
I see the users ip addresses on the network page. I thought that the limit of 10 seats was for concurrent active internet connections, so that if a person logged off the internet, their "seat" would open.  I have 14 actual xp systems on the network all of which will at one point or another be connected to the internet, but never more than 10 at a time.  And, as I have been testing this setup, I am pretty  sure that after I logged on to test the internet connection I exited internet explorer.  
But if,  once connected to the internet, the soho kept a record of the ip address of the computer that logged on, and never opened the seat so long as the computer's ip was active in the dhcp list (which would always be the case at my office, since we never turn the computers off, even at the end of the day) even after the computer exited internet explorer, a soho reboot making the seats available would seem to explain the situation.  I did not get a chance to test it tonight by counting the computers one by one but I will do that tomorrow.  
Any other thoughts??
Rob WilliamsCommented:
I have used numerous WatchGuards and I can assure you if you have 14 XP machines, and 10 licenses it will not work. The Belkin probably had unlimited users, and some routers have concurrent users/licenses, but the WatchGuard accept the first 10 connections and that is it. The user may not even access the Internet, if it requests a DHCP IP from the WatchGuard, Windows update tries to contact Microsoft, virus software checks for updates, or any other connection with the WatchGuard it will record the IP of the device and only allow the first 10. You can likely ping the Internet from any computer, but when you try to browse from a computer not on that list you will be blocked. Powering off and on the router resets the counter/list to 0.

You can buy a 10 to 25 user upgrade for your unit. Should be this item I believe:
However to activate you must be registered with WatchGuard (free) and have an active LiveSecurity Service, which is $99 US if you do not have one. The LiveSecurity Service is included when you purchase a new unit, but you need to activate with your registration.
195ecentralaveAuthor Commented:
It was the license.  

I was incorrectly informed by someone who thought they knew that the soho will automatically "free" a seat so that there can be 10 concurrent, but changing, active internet connections.  Not the case.
Also, I was able to order an upgrade through and get the license issued to me by email.  it took about 6 hours.  

And, I activated my unit, which I bought used on the interenet, wtihout paying for anything else, but i noticed that it expires this july, which is not one year from my activation today.  So, the fellow who sold it to me and represented that it was never registered may be mistaken.

I was able to watch the connections increase on the network page one at a time, bring up ie on each one and reached 10 and that was it.  So, you are exactly 100% correct.

Thanks for the great assist!
Rob WilliamsCommented:
You are very welcome. Glad to hear you have been able to resolve.
Technically you don't need to renew the LiveSecurity Service which you say runs out in July. However, if you ever reset the unit back to factory defaults you need to have an active LiveSecurity Service contract to be able to reinstall your License upgrade. Just so you know.
I like the WatchGuards, good dependable units.

Thanks 195ecentralave,
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.