Jump to content



Photo

Redoing a existing network....


  • Please log in to reply
59 replies to this topic

#31 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 15 March 2013 - 09:37

As 99% of the time, the great BudMan is correct: My DHCP server is the DC:

Posted Image

Arp table:

Posted Image

WAN side:

Posted Image


#32 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 93
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 15 March 2013 - 11:12

You forgot the five 9s on you 99 ;)

Welll I can tell right off why you might have issues with your network, your using the gateway as DNS. As I mentioned before in AD, you ONLY talk to AD dns -- your zyxel has not a clue to your AD structure, he might be able to resolve google.com for you -- but he sure and the hell can not resolve your AD domain entries. You point to your DC, your DC forwards queries he does not have the answer to your isp or googledns, or opendns, etc.

Another issue I see, why is your dhcp lease only 1 hour?? That is utterly pointless in a network of so few using a /24 network. That is just unnecessary traffic and possible issues with not renewing, etc.

Is this your machine - why is vmware interfaces on it? Looks like you have ipv6 still enabled - you using that? Doubt it, so just other **** that can cause problem your network.

I personally would do some clean up on your boxes and disable ipv6 if your not using it. Purely from a security aspect you don't run protocols you don't need! Simple fix to disable via a reg entry

reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255

If your going to run ipv6 on your network, then set it up.. Your clents don't need a 6to4 interface, they don't need teredo interface..

Your network hardware is prob not the problem, your problem when you say your rebooting everything might be as simple as your clients are not pointing to ONLY AD for dns.. And or your dhcp server craps, and your clients lease expire in 1 hour so then everyone would be dead in the water.

And if everyone has ipv6 enabled but not using it - bunch of again unnecessary traffic flowing, a lot of it broadcast that would just be wasting your wireless bandwidth since your wireless is not isolated to wireless segment and you have 19 active devices from your arp on your network. You got your clients asking for renews every 30 minutes.

#33 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 15 March 2013 - 22:56

You forgot the five 9s on you 99 ;)

?

Welll I can tell right off why you might have issues with your network, your using the gateway as DNS. As I mentioned before in AD, you ONLY talk to AD dns -- your zyxel has not a clue to your AD structure, he might be able to resolve google.com for you -- but he sure and the hell can not resolve your AD domain entries. You point to your DC, your DC forwards queries he does not have the answer to your isp or googledns, or opendns, etc.

OK so then what should I chance?

Another issue I see, why is your dhcp lease only 1 hour??

Could this be a DC setting (since we have come to the conclusion that it is the DHCP server as well)>


Is this your machine - why is vmware interfaces on it? Looks like you have ipv6 still enabled - you using that? Doubt it, so just other **** that can cause problem your network.

Yes, I use VMWare on this machine and it is my machine. Noone is using IPv6 nor is there intrest.

I personally would do some clean up on your boxes and disable ipv6 if your not using it. Purely from a security aspect you don't run protocols you don't need! Simple fix to disable via a reg entry

reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255

If your going to run ipv6 on your network, then set it up.. Your clents don't need a 6to4 interface, they don't need teredo interface..

Is disabling really a necceary step? AFAIK, all common Windows 7 installations come with IPv6 installed and enabled. The only way I would disabled it is via GP.

Your network hardware is prob not the problem, your problem when you say your rebooting everything might be as simple as your clients are not pointing to ONLY AD for dns.. And or your dhcp server craps, and your clients lease expire in 1 hour so then everyone would be dead in the water.

And if everyone has ipv6 enabled but not using it - bunch of again unnecessary traffic flowing, a lot of it broadcast that would just be wasting your wireless bandwidth since your wireless is not isolated to wireless segment and you have 19 active devices from your arp on your network. You got your clients asking for renews every 30 minutes.

No IPv6 what so ever.

#34 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 93
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 16 March 2013 - 01:17

In your dhcp server on the DC, remove 192.168.100.100 as dns! And change the lease to something more realistic -- like 1 day or 4 days.. Not ever freaking hour, that means your clients are asking for renewal every 30 minutes - why?

192.168.100.100 your zyxel doesn't have a clue about any of your AD dns records.

So if you have no desire for IPv6 - then disable it! I gave you the simple reg key to disable it. If you want to enable it again, just remove the reg key.

#35 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 16 March 2013 - 07:06

In your dhcp server on the DC, remove 192.168.100.100 as dns! And change the lease to something more realistic -- like 1 day or 4 days.. Not ever freaking hour, that means your clients are asking for renewal every 30 minutes - why?

OK, Ill remove any entries on the DHCP server on the DC relating to 192.168.100.100 being the DNS. Ill change the renewal to 1 day.


So if you have no desire for IPv6 - then disable it! I gave you the simple reg key to disable it. If you want to enable it again, just remove the reg key.

My doubt was that every Windows 7 installation by default has IPv6 enabled so meaning a lot of small office networks have IPv6 enabled and are running just fine. Also, that registry modification, would I have to do it to EVERY computer in the office or can I force it via GP?

#36 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 93
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 16 March 2013 - 12:35

Not saying it wont work - I am saying what you would do if you set it up correctly ;)

I am quite sure most small offices have it enabled yes, doesn't make it right.. If you do not use a protocol, then that protocol should not be enabled - this is security 101. And from a performance and clean up perspective - why do you want or need unused traffic on your network. If ipv6 is enabled its going to be generating traffic. And since your not using it, is completely useless.

As to deployment of a registry key via gp - sure here
https://blogs.techne...Redirected=true

Here is another method of doing it via gp
https://social.techn...oup-policy.aspx

If you don't want to disable it - then correctly set it up, not leave the freaking mess MS enables from the git go.. Teredo, 6to4 and isatap - I run it in my home network, but is is correctly configured to be used and remove the teredo, isatap and 6to4 nonsense since there is no use for those.

ipv6output.png

You notice my ipconfig /all output only list my actual nic, not the teredo, 6to4 and isatap and notice actually work on ipv6.. You boxes have all that stuff enabled sending out noise on your network for what? Can you even ping ipv6.google.com ?

#37 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 18 March 2013 - 15:50

Not saying it wont work - I am saying what you would do if you set it up correctly ;)

Im trying to just get things working in general; Not really looking for efficiency.

I am quite sure most small offices have it enabled yes, doesn't make it right.. If you do not use a protocol, then that protocol should not be enabled - this is security 101.

BudMan, I understand this is a security issue but this is not my focus right now.

And from a performance and clean up perspective - why do you want or need unused traffic on your network. If ipv6 is enabled its going to be generating traffic. And since your not using it, is completely useless.

As to deployment of a registry key via gp - sure here
https://blogs.techne...Redirected=true

Here is another method of doing it via gp
https://social.techn...oup-policy.aspx

If you don't want to disable it - then correctly set it up, not leave the freaking mess MS enables from the git go.. Teredo, 6to4 and isatap - I run it in my home network, but is is correctly configured to be used and remove the teredo, isatap and 6to4 nonsense since there is no use for those.

ipv6output.png

You notice my ipconfig /all output only list my actual nic, not the teredo, 6to4 and isatap and notice actually work on ipv6.. You boxes have all that stuff enabled sending out noise on your network for what? Can you even ping ipv6.google.com ?

I still dont really understand that IPv6 generates SO MUCH traffic to it be a performance issue....


Anyways, my office wants to change the firewall ASAP. Like I said, pfSense is going to take me up some time as I do NOT have to time to set it up correctly (besides networking, I do a lot of other stuff here so....). I just need a good firewall.

Thanks to all helping

#38 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 93
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 18 March 2013 - 16:40

pfsense takes all of about 10 minutes to setup from a BARE box! It will be working config after it gets an IP from your wan, and you give it an IP on its lan. It will have the same default rules as any off the shelf soho router.

It will allow ALL traffic outbound from the lan segment, and BLOCK all unsolicated traffic inbound. It will have dhcp server and dnsmasq running after you run through the setup.. Again if you are dicking with it more than 20 minutes your doing it wrong ;)

There really is not much to configure for a standard setup.

#39 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 18 March 2013 - 22:51

pfsense takes all of about 10 minutes to setup from a BARE box! It will be working config after it gets an IP from your wan, and you give it an IP on its lan. It will have the same default rules as any off the shelf soho router.

It will allow ALL traffic outbound from the lan segment, and BLOCK all unsolicated traffic inbound. It will have dhcp server and dnsmasq running after you run through the setup.. Again if you are dicking with it more than 20 minutes your doing it wrong ;)

There really is not much to configure for a standard setup.

We are crossing threads here (this is about the network setup and the other is about a firewall only) but....

Example of me trying to set up pfSense quickly (I problably did something wrong but).

I booted a LiveUSB of pfSense and did the default config: Unplugged all my network cables. When the time came, I choose autodetection and plugged one of my network cards to a switch with internet conectivity. It detected it as WAN. Next, I choose autodetection and plugged in my other network card into a standalone switch (only the pfSense was plugged in). The WAN side got a local DHCP IP, the LAN got the standard 192.168.1.1 Next, I plugged in my PC to that standalone switch, changed the IP on my PC to 192.168.1.23, subnet /24 and gateway 192.168.1.1

I could not access thru my web browser or ping 192.168.1.1 If I spent 5 minutes configuring that, I cannot simply take time to troubleshoot where the problem is. I need some that just works :) I know many do no understand that but....

Tommorow Ill try the lan side only...

#40 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 21 March 2013 - 14:07

OK, done doing 0.000000001% of redoing the existing network. We are getting a ZyXEL ZyWALL USG 50 in about two days.

#41 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 26 March 2013 - 09:00

Well obvious questions are obvious....

1: How do I open ports? Tried doing it thru firewall but nothing
2: How do I port forward?


I searched and a thread came up but and did it but it doesnt seem to work

#42 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 26 March 2013 - 11:04

yes it is done in the firewall rules. You need to create a wan to lan or a wan to any rule and allow the ports to transverse to a specific ip within your network.

this is a 20 but it is a similar interface.



#43 majortom1981

majortom1981

    The crazy one

  • Tech Issues Solved: 1
  • Joined: 30-November 01

Posted 26 March 2013 - 11:21

OK, done doing 0.000000001% of redoing the existing network. We are getting a ZyXEL ZyWALL USG 50 in about two days.


Did zyxel fix their throughput issues? We had a zyxel firewall lthat got nowhere near their advertised through put. Even their tech support gave up on helping us. That's why we switched to pfsense.

#44 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 26 March 2013 - 12:24

yes it is done in the firewall rules. You need to create a wan to lan or a wan to any rule and allow the ports to transverse to a specific ip within your network. this is a 20 but it is a similar interface.


I can confirm you that does NOT work. Using web tools (check my port sites) and actually trying to connect thru that port does not allow me.

#45 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 26 March 2013 - 12:31

call zyxel, you should have support with your device.

from the post from where this video came from.
"simply change the IPv4 Destination from "any" To the IP address of the end devices IP address. And then your done."