?
Solved

New and guest PCs connot connect to any IP outside of the private subnet

Posted on 2008-01-31
10
Medium Priority
?
1,241 Views
Last Modified: 2010-04-21
ENVIRONMENT:
W2K3 SB server on latest SP and patches, two stand-alone W2K3 servers also all updated with latest SPs and patches, all PCs on a domain, WatchGuard firewall, single subnet of 192.168.x.x, no ISA, IIS for internal use only company web page, no VPN, no routing and remote access configured.

PROBLEM;
Any new PC added to the domain using the wizard, and any guest PC that attaches to the physical layer, cannot reach an IP address outside of the private subnet. The new and guest PCs cannot ping an outside address or any of the usual TCP ports on an outside IP address (e.g. WEB Url, FTP, Telnet, SMTP, etc.)

The new and guest PCs can ping any address on the private subnet and can reach the company web site. The new and guest PCs can reach a web site if they are taken off-site and used on another LAN.

THe problem clearly lies with the configuration of the LAN itself, not the new and guest PCs.

OTHER INFORMATION AND FAILED SOLUTIONS
No errors or warnings appear in the server event logs or the logs of the PCs, router is not logging any denials of service (I am working on configuring the firewall for more verbose logging but so far nothing.

The server is the DHCP server, the PCs sucessfully obtain an IP address and correct IP Config info. If the new PCs are joined to the domain, and even if they are configured to add the doman Administrator account to the local PC SAM, they still cannot reach an external IP.

I have looked at the fire wall and there are not rules set to block outgoing traffic. Only one 'Allow All' rule exists in the firewall for outgoing traffic. Nothing changes when I explicitly set a new rule to, for example,  allow HTTP traffic.

No VPNs exist.  No DHCP scope or server rules exist beyond a definition of the router, gateway, address scope -- the default usual stuff and it is all correct.

In theory, I am the only one who makes infrastructure changes to the network and i am not aware of any changes having been made (besides the normal Windows updates) for at least six months - previous to this problem appearing.

PROBLEM AS I AM CURRENTLY APPROACHING THE PROBLEM
something is blocking access to  the internet for new IP addresses. What besides the firewall and DHCP be keeping track of access rules assigned to IP addresses.

I'm flumuxed -- It has to be really straight forward and likely something I did an just don't remember doing -- something that would not warrant being entered into the Server Work and Change Log.

0
Comment
Question by:albevier
10 Comments
 
LVL 12

Expert Comment

by:bhnmi
ID: 20791360
Just a shot in the dark, but are these machines getting a default gateway address from the DHCP server?
0
 
LVL 3

Expert Comment

by:Difladermaus
ID: 20791427
Sounds like a gateway issue, but being you have had no changes and clients are DHCP makes me think otherwise. Are we certain that an existing working system can plug into the same port that a non-working system was connected to and work fine?

Difladermaus
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 2000 total points
ID: 20794583
I would like to know the model of WG firewall; if you have a small firewall like SOHO6, Firebox X Edge (any model) then I would request you to check if you have sufficient number of licenses, as the boxes come with a default license based on model. You might be running out of licenses as a result additional users cannot connect to the internet.

If you have bigger models like Firebox III, of Firebox X 500 (or above) then licenses would not be the issue, please make sure that the machines when they get IP from DHCP server(which I think is not WG firewall) the default gateway is the internal IP address of the firebox.

Please check and update.

Thank you.
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20795310
Could you please post a COMPLETE ipconfig /all from both your SBS as well as a sample workstation?

Jeff
TechSoEasy
0
 

Author Comment

by:albevier
ID: 20797695
Here's a combined reply to all of the current requests for info:

- server is the source of DHCP
- ipconfig on server as well as workstations show that the GW is being correctly entered on the server and correctly picked up by the clients (See attached printout of ipconfig /all)
- The physical layer is working -- i.e. I can plug my notebook into any port that is working for a legacy PC and my notebook cannot reach any outside IP but can reach any inside IP.
- Also, I know that the physical layer is fine because I can reach the server from a remote location and from the server, use RDP to reach any of the new PCs that cannot find the outside.
- firewall is a WatchGuard  SOHO 6 TC v6.3 build 19 ROM 5.5 licensed for 25 users
------ I am researching what the license means as I know some firewalls mean 25 VPN tunnels and others mean concurrent users etc.

I'm pursuing the WatchGuard user limitation right now as the likeliest answer.

al


C:\Documents and Settings\Administrator>ipconfig /all
 
Windows IP Configuration
 
        Host Name . . . . . . . . . . . . : dell-i3mdejhjr
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : domain.local
 
Ethernet adapter Local Area Connection:
 
        Connection-specific DNS Suffix  . : domain.local
        Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connect
ion
        Physical Address. . . . . . . . . : 00-0D-56-04-E2-BA
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.254.134
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.254.254
        DHCP Server . . . . . . . . . . . : 192.168.254.3
        DNS Servers . . . . . . . . . . . : 192.168.254.3
        Primary WINS Server . . . . . . . : 192.168.254.3
        Lease Obtained. . . . . . . . . . : Friday, February 01, 2008 8:54:55 AM
 
        Lease Expires . . . . . . . . . . : Saturday, February 09, 2008 8:54:55
AM
 
C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>ipconfig /all
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : server
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local
 
 
Ethernet adapter Server Local Area Connection:
 
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
   Physical Address. . . . . . . . . : 00-12-79-D4-37-83
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.254.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.254.254
   DNS Servers . . . . . . . . . . . : 192.168.254.3
   Primary WINS Server . . . . . . . : 192.168.254.3
 
C:\Documents and Settings\Administrator>

Open in new window

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20797802
As you say you have a SOHO 6TC with 25 user license, this means that you can have 25 concurrent users for internet access.

This is the reason why all your users are not able to connect to the internet at the same time. Unfortunately in SOHO6 once a license is taken it is not replenished when the user goes offline; you need to power cycle SOHO to release licenses.

So, let say you have 10 users who are connected to internet; now a guest comes and plugs his computer in network; so SOHO would show 11 licenses as consumed. Even if not guest goes back the license would not get released till SOHO is rebooted.

VPN tunnels limit by default is 10; by default there are no MUVPN licenses.

Thank you.
0
 

Author Comment

by:albevier
ID: 20797921
dpk wal

I like this -- still researching....... I see that you are quite correct about the concurrent user licensing. Right now my server shows 24 (!!!!!!!) concurrent users. The WatchGuard is licensed for 25 users.

If, as you say, the logged of users are not replenished or returned to the que, so to speak, then I would think you have found my answer. Let's see if I can get a test  to work.  

Do you suppose I can just remotely reboot the WatchGuard or are you sure that a full power cycle needs to happen?

al
0
 

Author Closing Comment

by:albevier
ID: 31426926
dpk wal -- thanks. cleared the log and attempted access from one of the new PCs and presto - error message "User count exceeded, packet dropped'

Most excellent. Thanks
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20798338
You can reboot the WG remotely also, provided you have access to the configuration page. On the very first page System status, there is a Reboot button.

Am happy I could help! :)
0
 

Author Comment

by:albevier
ID: 20798815
Remote re-boot worked. On the way to purchase additional user licenses.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Let us take a look at the scenario, you have a database that is corrupt and you run the ESEUTIL command only to find you are unable to repair it. How do you now get the data back?
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question