Jump to content
|Topic||Stats||Last action by|
|iOS 9 & OS X 10.11 to bring ‘quality’ focus, smaller apps, Rootless security, legacy iPhone/iPad||
|My computer has been hacked.||
|Netbeans Reset Button||
|will Neowin update forum design?||
Posted 15 March 2013 - 09:37
Posted 15 March 2013 - 11:12
Posted 15 March 2013 - 22:56
You forgot the five 9s on you 99
OK so then what should I chance?
Welll I can tell right off why you might have issues with your network, your using the gateway as DNS. As I mentioned before in AD, you ONLY talk to AD dns -- your zyxel has not a clue to your AD structure, he might be able to resolve google.com for you -- but he sure and the hell can not resolve your AD domain entries. You point to your DC, your DC forwards queries he does not have the answer to your isp or googledns, or opendns, etc.
Could this be a DC setting (since we have come to the conclusion that it is the DHCP server as well)>
Another issue I see, why is your dhcp lease only 1 hour??
Yes, I use VMWare on this machine and it is my machine. Noone is using IPv6 nor is there intrest.
Is this your machine - why is vmware interfaces on it? Looks like you have ipv6 still enabled - you using that? Doubt it, so just other **** that can cause problem your network.
Is disabling really a necceary step? AFAIK, all common Windows 7 installations come with IPv6 installed and enabled. The only way I would disabled it is via GP.
I personally would do some clean up on your boxes and disable ipv6 if your not using it. Purely from a security aspect you don't run protocols you don't need! Simple fix to disable via a reg entry
reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255
If your going to run ipv6 on your network, then set it up.. Your clents don't need a 6to4 interface, they don't need teredo interface..
No IPv6 what so ever.
Your network hardware is prob not the problem, your problem when you say your rebooting everything might be as simple as your clients are not pointing to ONLY AD for dns.. And or your dhcp server craps, and your clients lease expire in 1 hour so then everyone would be dead in the water.
And if everyone has ipv6 enabled but not using it - bunch of again unnecessary traffic flowing, a lot of it broadcast that would just be wasting your wireless bandwidth since your wireless is not isolated to wireless segment and you have 19 active devices from your arp on your network. You got your clients asking for renews every 30 minutes.
Posted 16 March 2013 - 01:17
Posted 16 March 2013 - 07:06
OK, Ill remove any entries on the DHCP server on the DC relating to 192.168.100.100 being the DNS. Ill change the renewal to 1 day.
In your dhcp server on the DC, remove 192.168.100.100 as dns! And change the lease to something more realistic -- like 1 day or 4 days.. Not ever freaking hour, that means your clients are asking for renewal every 30 minutes - why?
My doubt was that every Windows 7 installation by default has IPv6 enabled so meaning a lot of small office networks have IPv6 enabled and are running just fine. Also, that registry modification, would I have to do it to EVERY computer in the office or can I force it via GP?
So if you have no desire for IPv6 - then disable it! I gave you the simple reg key to disable it. If you want to enable it again, just remove the reg key.
Posted 16 March 2013 - 12:35
Posted 18 March 2013 - 15:50
Im trying to just get things working in general; Not really looking for efficiency.
Not saying it wont work - I am saying what you would do if you set it up correctly
BudMan, I understand this is a security issue but this is not my focus right now.
I am quite sure most small offices have it enabled yes, doesn't make it right.. If you do not use a protocol, then that protocol should not be enabled - this is security 101.
I still dont really understand that IPv6 generates SO MUCH traffic to it be a performance issue....
And from a performance and clean up perspective - why do you want or need unused traffic on your network. If ipv6 is enabled its going to be generating traffic. And since your not using it, is completely useless.
As to deployment of a registry key via gp - sure here
Here is another method of doing it via gp
If you don't want to disable it - then correctly set it up, not leave the freaking mess MS enables from the git go.. Teredo, 6to4 and isatap - I run it in my home network, but is is correctly configured to be used and remove the teredo, isatap and 6to4 nonsense since there is no use for those.
You notice my ipconfig /all output only list my actual nic, not the teredo, 6to4 and isatap and notice actually work on ipv6.. You boxes have all that stuff enabled sending out noise on your network for what? Can you even ping ipv6.google.com ?
Posted 18 March 2013 - 16:40
Posted 18 March 2013 - 22:51
We are crossing threads here (this is about the network setup and the other is about a firewall only) but....
pfsense takes all of about 10 minutes to setup from a BARE box! It will be working config after it gets an IP from your wan, and you give it an IP on its lan. It will have the same default rules as any off the shelf soho router.
It will allow ALL traffic outbound from the lan segment, and BLOCK all unsolicated traffic inbound. It will have dhcp server and dnsmasq running after you run through the setup.. Again if you are dicking with it more than 20 minutes your doing it wrong
There really is not much to configure for a standard setup.
Posted 21 March 2013 - 14:07
Posted 26 March 2013 - 09:00
Posted 26 March 2013 - 11:04
Posted 26 March 2013 - 11:21
OK, done doing 0.000000001% of redoing the existing network. We are getting a ZyXEL ZyWALL USG 50 in about two days.
Posted 26 March 2013 - 12:24
yes it is done in the firewall rules. You need to create a wan to lan or a wan to any rule and allow the ports to transverse to a specific ip within your network. this is a 20 but it is a similar interface.
Posted 26 March 2013 - 12:31