Users cant browse internet until Ping firewall / router

Hey guys.  Can you help a newbie LINUX guy out.  This is the strangest thing.  I have a small office of about 15 users who I just recently installed an IP Cop firewall for.  It has been working beautifully for the last 4 days...until this morning.  Here's the deal.

Users called me this morning and said they couldn't access the internet.  I could remote in and control any server and I had internet no problem from any server.  However, when I would remote one of their machines...sure enough...no internet.  I thought I would try pinging the firewall to make sure the user could see it, and WHAMMO, as soon as I ping the firewall, Internet access lit up just fine.

This was happening on every user's desktop.  No internet, but as soon as I would ping the IP COP box, internet worked fine.  

ANY IDEAS????  So strange.  
Kevin GibbsIT Operations ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetEngineerFoxCommented:
Could have been several things, maybe an address translation table issue.  Could also be a DNS problem.  I have seen it before on an IP address conflict, needed to ping again to update the mac table.

Does it still happen?
0
Kevin GibbsIT Operations ManagerAuthor Commented:
Yes, the problem still exists.  
0
JeffSchaperCommented:
It is most likely the computers don't have the gateway mac address in their arp table, when you ping it the entry is added and it works.

I'd check the config of the default gateway as it is likely that the arp entry expires after 24 hrs and has dropped from the arp table overnight.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Kevin GibbsIT Operations ManagerAuthor Commented:
Jeff, the users are all set to DHCP and the router/gateway is part of the options.  Prior to installing this Linux firewall, the office was running with a Watchguard Firewall that was using the same exact same router/gateway IP (10.0.0.1) .  This problem never existed before now.  The watchguiard is completely gone and the new firewall has this same IP address.  So, it would seem that there would be no problem.  I'm not too terribly familiar with the ARP tables, can I get a little guidance on where i would go to check those?  THANKS!

Kevin
0
Kevin GibbsIT Operations ManagerAuthor Commented:
OK, Jeff, you are definitely on to something.  Figured out how to view the ARP tables.  Here is what seems to be happening.  On the Firewall, there are 2 NICS...they refer to them as RED Zone and Green Zone.  Red being Internet (Out) and Green being Internal (In).  Well, when you run an arp -a command on a user who has no internet access, you can clearly see that the user's ARP table has 10.0.0.1 pointing to the hardware address of the RED zone...it is supposed to be the GREEN Zone.  

Now I do see where I can add a static entry, but I am wondering if there is a way to resolve this without doing that?  I only ask because I don't want to have to always remember to add this static ARP entry for every new computer that gets added to the network, it would seem that it should just work!  :-)
0
JeffSchaperCommented:
Hi Kevin, am I correct to assume that you have both NICs are teamed so they use the same IP address?
0
Kevin GibbsIT Operations ManagerAuthor Commented:
No Jeff, they are not.  One has an internal IP address of the internal network and the other has the IP of the external network.  This is exactly how you are instructed to setup up an IP cop firewall with a reg and green zone.
0
Kevin GibbsIT Operations ManagerAuthor Commented:
Technically, I don't have a solution for this.  More of a workaround.   What I have done is in the user's login script there is a line that adds a static ARP entry to the router's mac address.  Why on earth I have to do that I have no idea, but it seems to be working fine now.  Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.