New and guest PCs connot connect to any IP outside of the private subnet

ENVIRONMENT:
W2K3 SB server on latest SP and patches, two stand-alone W2K3 servers also all updated with latest SPs and patches, all PCs on a domain, WatchGuard firewall, single subnet of 192.168.x.x, no ISA, IIS for internal use only company web page, no VPN, no routing and remote access configured.

PROBLEM;
Any new PC added to the domain using the wizard, and any guest PC that attaches to the physical layer, cannot reach an IP address outside of the private subnet. The new and guest PCs cannot ping an outside address or any of the usual TCP ports on an outside IP address (e.g. WEB Url, FTP, Telnet, SMTP, etc.)

The new and guest PCs can ping any address on the private subnet and can reach the company web site. The new and guest PCs can reach a web site if they are taken off-site and used on another LAN.

THe problem clearly lies with the configuration of the LAN itself, not the new and guest PCs.

OTHER INFORMATION AND FAILED SOLUTIONS
No errors or warnings appear in the server event logs or the logs of the PCs, router is not logging any denials of service (I am working on configuring the firewall for more verbose logging but so far nothing.

The server is the DHCP server, the PCs sucessfully obtain an IP address and correct IP Config info. If the new PCs are joined to the domain, and even if they are configured to add the doman Administrator account to the local PC SAM, they still cannot reach an external IP.

I have looked at the fire wall and there are not rules set to block outgoing traffic. Only one 'Allow All' rule exists in the firewall for outgoing traffic. Nothing changes when I explicitly set a new rule to, for example,  allow HTTP traffic.

No VPNs exist.  No DHCP scope or server rules exist beyond a definition of the router, gateway, address scope -- the default usual stuff and it is all correct.

In theory, I am the only one who makes infrastructure changes to the network and i am not aware of any changes having been made (besides the normal Windows updates) for at least six months - previous to this problem appearing.

PROBLEM AS I AM CURRENTLY APPROACHING THE PROBLEM
something is blocking access to  the internet for new IP addresses. What besides the firewall and DHCP be keeping track of access rules assigned to IP addresses.

I'm flumuxed -- It has to be really straight forward and likely something I did an just don't remember doing -- something that would not warrant being entered into the Server Work and Change Log.

albevierAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bhnmiCommented:
Just a shot in the dark, but are these machines getting a default gateway address from the DHCP server?
0
DifladermausCommented:
Sounds like a gateway issue, but being you have had no changes and clients are DHCP makes me think otherwise. Are we certain that an existing working system can plug into the same port that a non-working system was connected to and work fine?

Difladermaus
0
dpk_walCommented:
I would like to know the model of WG firewall; if you have a small firewall like SOHO6, Firebox X Edge (any model) then I would request you to check if you have sufficient number of licenses, as the boxes come with a default license based on model. You might be running out of licenses as a result additional users cannot connect to the internet.

If you have bigger models like Firebox III, of Firebox X 500 (or above) then licenses would not be the issue, please make sure that the machines when they get IP from DHCP server(which I think is not WG firewall) the default gateway is the internal IP address of the firebox.

Please check and update.

Thank you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Could you please post a COMPLETE ipconfig /all from both your SBS as well as a sample workstation?

Jeff
TechSoEasy
0
albevierAuthor Commented:
Here's a combined reply to all of the current requests for info:

- server is the source of DHCP
- ipconfig on server as well as workstations show that the GW is being correctly entered on the server and correctly picked up by the clients (See attached printout of ipconfig /all)
- The physical layer is working -- i.e. I can plug my notebook into any port that is working for a legacy PC and my notebook cannot reach any outside IP but can reach any inside IP.
- Also, I know that the physical layer is fine because I can reach the server from a remote location and from the server, use RDP to reach any of the new PCs that cannot find the outside.
- firewall is a WatchGuard  SOHO 6 TC v6.3 build 19 ROM 5.5 licensed for 25 users
------ I am researching what the license means as I know some firewalls mean 25 VPN tunnels and others mean concurrent users etc.

I'm pursuing the WatchGuard user limitation right now as the likeliest answer.

al


C:\Documents and Settings\Administrator>ipconfig /all
 
Windows IP Configuration
 
        Host Name . . . . . . . . . . . . : dell-i3mdejhjr
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : domain.local
 
Ethernet adapter Local Area Connection:
 
        Connection-specific DNS Suffix  . : domain.local
        Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connect
ion
        Physical Address. . . . . . . . . : 00-0D-56-04-E2-BA
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.254.134
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.254.254
        DHCP Server . . . . . . . . . . . : 192.168.254.3
        DNS Servers . . . . . . . . . . . : 192.168.254.3
        Primary WINS Server . . . . . . . : 192.168.254.3
        Lease Obtained. . . . . . . . . . : Friday, February 01, 2008 8:54:55 AM
 
        Lease Expires . . . . . . . . . . : Saturday, February 09, 2008 8:54:55
AM
 
C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>ipconfig /all
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : server
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local
 
 
Ethernet adapter Server Local Area Connection:
 
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
   Physical Address. . . . . . . . . : 00-12-79-D4-37-83
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.254.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.254.254
   DNS Servers . . . . . . . . . . . : 192.168.254.3
   Primary WINS Server . . . . . . . : 192.168.254.3
 
C:\Documents and Settings\Administrator>

Open in new window

0
dpk_walCommented:
As you say you have a SOHO 6TC with 25 user license, this means that you can have 25 concurrent users for internet access.

This is the reason why all your users are not able to connect to the internet at the same time. Unfortunately in SOHO6 once a license is taken it is not replenished when the user goes offline; you need to power cycle SOHO to release licenses.

So, let say you have 10 users who are connected to internet; now a guest comes and plugs his computer in network; so SOHO would show 11 licenses as consumed. Even if not guest goes back the license would not get released till SOHO is rebooted.

VPN tunnels limit by default is 10; by default there are no MUVPN licenses.

Thank you.
0
albevierAuthor Commented:
dpk wal

I like this -- still researching....... I see that you are quite correct about the concurrent user licensing. Right now my server shows 24 (!!!!!!!) concurrent users. The WatchGuard is licensed for 25 users.

If, as you say, the logged of users are not replenished or returned to the que, so to speak, then I would think you have found my answer. Let's see if I can get a test  to work.  

Do you suppose I can just remotely reboot the WatchGuard or are you sure that a full power cycle needs to happen?

al
0
albevierAuthor Commented:
dpk wal -- thanks. cleared the log and attempted access from one of the new PCs and presto - error message "User count exceeded, packet dropped'

Most excellent. Thanks
0
dpk_walCommented:
You can reboot the WG remotely also, provided you have access to the configuration page. On the very first page System status, there is a Reboot button.

Am happy I could help! :)
0
albevierAuthor Commented:
Remote re-boot worked. On the way to purchase additional user licenses.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.