Solved

Device with fixed IP not seen in DHCP server manager Windows 2000

Posted on 2016-07-27
9
57 Views
Last Modified: 2016-07-27
I always preface that I know it's wrong to still be running Win 2000 Server, but it's not my name on the building.
Welcome to budget based manufacturing.

Here's my problem. I haven't ever seen this in 16 years.
Usually, when a device gets plugged into the network with a valid MAC address, it shows up in the DHCP server. From there, I can acquire the information needed to give it a permanent reservation. We have a new PLC that does not play that way, not Windows based, and can only be configured on the client end with a fixed IP address. I gave the controller an IP, subnet, and gateway matching our network, and tried setting a reservation to match in the DHCP manager, but nothing seems to allow the reservation to be active.

The main problem is connectivity out of the building. The device has a pass through the firewall, but we are set up such that the domain controller is the also the DNS server that passes DNS requests to the gateway where DNS resolution happens for real. Never a problem until this device that does not have an option to obtain an IP address from a host. Near as I can tell, this device is not getting past the DHCP manager, with or without a reservation.

Their tech support says, "To access remotely you will need to set the panel to a public IP address and allow the RMC device to pass through the firewall or allow the RMC device to  access your public IP then remote into your local area network. Hope this information helps."
I'm not too sure what that means. I have even tried putting a public IP DNS (8.8.8.8) in the controller's fixed address rather than the domain controller, but we still don't seem to be able to get past the domain controller to forward DNS requests to the gateway.
What am I missing here? Every other device, domain member or not, can be managed through DHCP, but not this one. It's almost like it isn't broadcasting. I really don't know for sure. There are no tools on the controller to troubleshoot network connectivity. All I can do is ping it from machines inside the network.

Two captures for you, one shows the firewall pass through, the other the inactive DHCP lease. The one capture shows "none" on lease type, but the reservation was made DHCP only. I'm at a loss on this one. If the device can't/won't be forwarded by the internal DNS server to the gateway, it's not going to be able to leave the building, right?
PLC DMZIP addy
0
Comment
Question by:afrend
  • 4
  • 4
9 Comments
 
LVL 13

Accepted Solution

by:
Wayne88 earned 250 total points
ID: 41731707
"but nothing seems to allow the reservation to be active."

DHCP reservation works with the MAC address of the client and thus when the client request a dynamic IP, the server will then match the requester MAC address to the one that's specified in the DHCP reservation list then assign a reserved IP.  If the client cannot request DHCP as you claimed the PLC controller only allow static IP and not DHCP settings, then it will never ask the DHCP server for an IP and therefore you will never see the DHCP reservation for the PLC unit as active.

"The device has a pass through the firewall"

Is the firewall rule allowing the device to pass through and route based on the device MAC address or IP?  When did this problem occured?  Did you replace the PLC unit then this problem occur?  If so, try giving the device the same IP address as the old one.

"Their tech support says, "To access remotely you will need to set the panel to a public IP address and allow the RMC device to pass through the firewall or allow the RMC device to  access your public IP then remote into your local area network. Hope this information helps."

I don't think this apply to you because you are not trying to reach the PLC unit publicly.  Is this correct?
1
 

Author Comment

by:afrend
ID: 41731744
This is a new device and the first of it's kind, with fixed IP. That's why I am having trouble dealing with it in this manner, but thank you as this confirms that it's never going to work via DHCP.

The goal is to gain connectivity out of the building such that it can send out service messages via DHCP and be managed remotely via a mobile device.

The device allows you to set IP/Subnet/Gateway/DNS/NTP.
I'm going to try putting the public IP of the ISP as the Gateway and 8.8.8.8 as the DNS server.

Thank you. I'll keep you posted.
0
 
LVL 13

Expert Comment

by:Wayne88
ID: 41731769
Putting in the public IP directly in the PLC unit won't help and 8.8.8.8 is Google dns server.  That won't help anything in terms of what you're trying to achieve.  The reason is because the PLC unit is internal, behind the firewall/router.  If it's outside of the router/firewall then you may be able to reach it directly if the PLC unit is assigned a public static IP address.  Note that if you're trying to reach the device by using IP address then you don't even need the DNS settings.  You only need DNS if you're going to do machine name or URL to IP address translation or reverse lookup (reverse DNS).

"The goal is to gain connectivity out of the building such that it can send out service messages via DHCP and be managed remotely via a mobile device."

Then in this case the tech's statement is correct " "To access remotely you will need to set the panel to a public IP address and allow the RMC device to pass through the firewall or allow the RMC device to  access your public IP then remote into your local area network. Hope this information helps.""

The mobile device must be pointed to your public IP address then you will need to set a port fowarding rule on your router/firewall to allow traffic to/from the PLC unit to respond to communication directed at this port in order to be able to reach it from outside the company.

When you said "it can send out service messages via DHCP " meaning are you trying to have the PLC unit send automated emails via your email server?
1
 
LVL 11

Assisted Solution

by:Bryant Schaper
Bryant Schaper earned 250 total points
ID: 41731801
To tack onto Wayne comments, DHCP is provides devices with addresses looking for a DHCP address, if the new device does not support dhcp it will never show up on the dhcp server.  You will have to provide a static IP address, Subnet and Gateway along with your DNS server, which can be the domain controller as it probably runs DNS.

Now for connectivity out your router or firewall needs to allow this device access to the internet, what is this device?  If it is a firewall you will more than likely need to some rules to allow the device out, for example our firewall does not allow unauthenticated traffic to the internet, so my switches for example cannot ping 8.8.8.8 but a names AD user can.  I could create a rule to allow this, but I dont.

For the inbound traffic you will more than likely need a NAT translation that says that traffic to a specific port inbound on the firewalls public IP get translated to an internal address and port.  For example we have camera servers and we have a public IP on each site's firewall that allows port 12345 traffic to be routed to 10.0.0.5 port 12345 on the inside and when the inside communicates out on 12345 it comes from port 12345 with the public IP.
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 

Author Comment

by:afrend
ID: 41731812
I'm sorry that I misspoke on that. I meant to say "it can send out service messages via SMTP."

Below are the rules I am currently using to forward the ports, currently any, and if that works, then I can narrow it down to the port needed. Right now, I'm just trying to gain connectivity.

There really is any good help with this and the app side. The full instructions are "Enter IP and Port #."
That's it.
So I assume that means, as you said, the public IP is what they connect to, and the software finds the controller once "inside."
0
 

Author Comment

by:afrend
ID: 41731818
Forgot the file...bidir.jpg
0
 
LVL 13

Expert Comment

by:Wayne88
ID: 41731827
If the app side only require IP address and port then you won't have to worry about DNS settings.  You just need to open up a port on your router/firewall to point to static IP address for the PLC unit.  You should then be able to reach the PLC unit from outside by using the Public IP address and port number assigned.

As for the SMTP, there should be setting on the PLC for SMTP and you just need to type in the SMTP email server IP address as long as the email server allow relaying from internal devices (you may need to specify the IP address of the PLC unit in your email server to allow relaying).  I only allow certain machines to allow sending out messages for security reasons.

The public IP is what they connect to, and the software finds the controller once "inside." - the software won't need to find the PLC because the port forwarding rule is a static reference (point to the static IP address you have given the PLC).
0
 

Author Comment

by:afrend
ID: 41731858
So talking with the guy working with this, the problem with the app on the phones assumes direct connectivity such as a VPN. The UTM does have VPN software for mobile devices, but I'm not comfortable having that ability on a private device. We do not have corporate mobile phones, just a reimbursement for those who use it for work. That also calls for a VPN connection to be "always on" to be able to send alerts.

But as it turns out, what we get now from the vendor, is this problem is easily addressed in the following manner. I guess they just assumed a manufacturing plant didn't have the "fancy" stuff, and made a base sale, just not the right sale.

"DHCP assignable IP addresses can only be done on the EZ Panels listed below.
EZCE Series
EZWindows Series
EZTouchPlus Series"

Yep. We got the wrong one...
Points awards to follow.
Thanks to all.
0
 
LVL 13

Expert Comment

by:Wayne88
ID: 41731869
Great, glad you got it solved.  Cheers!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now