59 replies to this topic

[pes2013]

Nope, no phone support from ZyXEL and like I mentioned, the video is incorrect.

I finally got it to work by tinkering around.

[pes2013]

I was going to disable IPv6 thru GP but reading, this came up:

http://msmvps.com/bl...e-and-ipv6.aspx

Quote

Others might disable it because of a misperception that having both IPv4 and IPv6 enabled effectively doubles their DNS and Web traffic. This is not true.

I simply from a bandwidth point of view do not see the need to diabled IPv6. From a security point of view, of course.

[+sc302]

it is completely up to you. But if you ever watch packets on the network to troubleshoot network issues, having those packets that you don't need to take up space and processing power during a capture helps. I just did a 30 second capture on my laptop to troubleshoot a network issue here (we also have ipv6 enabled)...a 30 second capture created about 1.5GB of log, there was a bit of ipv6 traffic in there and if we had it disabled the file wouldn't have been as large. Unfortunately to test will take a bit of time that we don't have (small IT department with a ton of projects going on at the same time).

[+BudMan]

are you running any of those services that "need" ipv6 - if not then disable it. From a security point of view alone.. You don't run protocols your not using, period!

If you are using something that requires it, then you should be correctly enabling it on your network.. Not leaving the 3 different methods MS turns on by default. teredo, isatap and 6to4.. I doubt your using any of those, so disable them and let native ipv6 run and set it up correctly so it actually works.

What AD/Windows servers are you running - are you on 2k8? If your using 2003 server IPv6 is not even there by default and you would have to install it. So I doubt your running any services that require ipv6

And I agree with sc302, unwanted traffic on your network be it a bandwidth issue or not is noise - why would you want it there? It just makes troubleshooting any thing more cumbersome having to weed through noise. And it might not be a bandwidth issue, but sure its going to create dns queries - that most likely are going to just get forward out your wan because your AD dns can not respond... Don't you have a very small upload pipe? something like 500kbits or something.. Every packet requesting something you have no use for, is just getting in the way of packets you want to go out and get answers from.

Do you need ipx? Then why would you run it on your network, what about appletalk? If you don't need/use a protocol then it shouldn't be running on your network. But if you don't control settings on OSes and Devices that you put on your network - these protocols are most likely there as unwanted noise.

Not something you have to do right this minute, but I would put cleanup of such things on your list of things to do to make your network the best it can be. A simple GP push to disable ipv6 would remove quite a bit of noise. If you have concerns do it on a few machines first - does everything still work? If so then you have no use of it!

btw
"I finally got it to work by tinkering around."

I wince every time I hear something like this - what did you do? You need to understand what was wrong.. not just randomly trying ****.

[pes2013]

Removed the router's IP from the AD's DNS list and updated the DHCP lease to 1 day.

BudMan, on 27 March 2013 - 16:04, said:

btw
"I finally got it to work by tinkering around."

I wince every time I hear something like this - what did you do? You need to understand what was wrong.. not just randomly trying ****.

Well, there was a object basically called "WAN" then any then "WAN1_PPP". I tried any as I literally wanted it to come from anywhere but that didnt work out. Later I believe I either tried WAN (which is a service group containing WAN1_PPP, WAN2_PPP etc) or WAN1_PPP. One of those as source did it so....

I want to disable/enable ping ICMP but I cant seem to set it up correctly. Hmmm.......

Also, since ONCE AGAIN I am not aiming for security, Im not going to do the IPv6; Also I pointed out a article (from MS) that certain things might break so.........Im not risking it.

Ill get a ipconfig /all up on Tuesday and show you results.

[+BudMan]

whatever dude - removing **** your NOT using CAN NOT BREAK ANYTHING -- are you using teredo?? NO - its a tunneling protocol for ipv6 over 4, are you using isatap?(Intra-Site Automatic Tunnel Addressing Protocol) -- again a method of doing ipv6 over ipv4, not USING IT

6to4 tunnel, again NOT using it!! if you want to leave a IPv6 stack in place sure go ahead, you sure do not need these tunneling methods enabled. If you want your nic to have a local link IPv6 address, sure go for it - pointless unless your actually using ipv6.. Do your servers even have it enabled? If your running 2k3 server then NO its not.

So what do you want to do enable or disable icmp - I would guess you want to enable, because most likely out of the box its disabled.. I would have to lookup up the manual, I don't use those firewalls - did you read the manual? Which should of be step one before you even took it out of the box!!

I don't know what kind of connection you have, so I could not tell you if your PPP or not..

And again - yes its good security practice to disable protocols your not using, and its also just over all good house keeping.. But sure if you don't care if your house is a complete and utter mess then leave all your tunnels that your not using enabled and just beeping away on your network.. Pointless nonsense you could clean up with a few key strokes in your GP.

[pes2013]

Its enabled out of the box.

Did you read the article I pointed out saying that there are some built in programs that if IPv6 is disabled on W7, could break normal operations???

And our DC is Windows Small Business Server 2003

[+BudMan]

"And our DC is Windows Small Business Server 2003"

Then it has NO ipv6 enabled out of the box - did you ENABLE it?? I highly doubt it!!

Then there is NO freaking way anything your doing with xp, vista, w7 or even 8 is doing anything with your server that has anything thing to do with you ipv6. Period - and they don't do anything to each other. So you HAVE NO USE if ipv6 on your network - NONE!! As I already stated disable it on a couple of machines if your worried. It takes 2 seconds and reboot to disable it, and same amount of time to re-enable it if something doesn't working. Which is not the case because if you have 2k3 server your NOT doing anything with ipv6, because its even enabled on that os unless you installed it..

And yes I read your link - it does NOT pertain to ANYTHING you could be doing because your not even running ipv6 on your server - so as I stated before everything ipv6 related on your clients is freaking noise! nothing more...

[StrikedOut]

Very quick and simple to disable, http://social.techne...up-policy.aspx. Doesn't look like it would take more than 10 min either.

[+BudMan]

^ I already linked to that article back on post #36, and your link is bad btw -- there is a . on the end that causes it to fail.

[Obi-Wan Kenobi]

AOXOMOXOA, on 13 March 2013 - 21:03, said:

Hey pes2013 !!

Listen to BudMan,,

he has really good advice, he has helped me out of a jam once or twice as well. and I have been running networks since before windows was a household name.

THIS, to the infinite power. Don't shun BudMan....he actually KNOWS what he's talking about. I suggest to listen to him. Don't be argumentive. He is the person that has kept my network still working through his advice to others. Trust the almighty BudMan... He'll help you get everything flowing properly.

[SPEhosting]

BudMan, on 08 March 2013 - 14:46, said:

"The wireless clients are MACed controll and WEP"

So completely open to anyone that can google then Since both are completely and utterly useless as security measures.

agreed WEP is easy to hack and MACs easy to fake... you can sniff the working macs while you are cracking the WEP XD

[dnsing]

Here is the updated network with the DNS entry of my router removed and DHCP lease time increased to 1 day:



Next step that should be done? For now, with the new firewall and the AD updated to the new settings, internet access seems to be doing great without a hiccup (for now)

[+BudMan]

Why are you posting from a different nic? That just joined? Your only suppose to use 1 account on neowin.

[sagum]

pes2013, on 28 March 2013 - 01:45, said:

Its enabled out of the box.

Did you read the article I pointed out saying that there are some built in programs that if IPv6 is disabled on W7, could break normal operations???

And our DC is Windows Small Business Server 2003

BudMan is sound when it comes to advice. You should listen to him.
What he's basically doing here is offering you a near 100% walk through of setting up your network *perfectly*, apart from actually coming on site and doing it for you. All you just have to answer his questions and do what he says.
Do you even know how much he could be charging you for this service?
He's handing you the offer of a trouble free setup of your network, one that is secure, and easy to maintain after it's setup .. and you're throwing the chance it away.

Budman has more experience then most on these forums, if he says it'd be best to disable IPv6 if your clients aren't using it, he's probably telling you it for a reason that he's had experience from.


As for your lack of worry about security, if your clients are tunnelling IPv6 over IPv4, the machines are pretty much bypassing your firewall and giving them direct contact with the outside world over IPv6. While you'll have internet facing IPv6 addresses for this, you're still poking holes in to your network (directly to machines) from the outside and once they're in your network, they can use the Local and LAN IPv6 addresses to attack any other IPv6 enabled machine on your network. It's just not worth the security risk, no matter how small it is. It's like the 90's all over again and people are just ignoring it as a non-issue.
Lastly, I noticed you weren't too concerned about WiFi setup, one of the reasons your network could be dropping its connections is if a rogue attacker has your WEP key and is using all your bandwidth or simply screwing around with the network in general. Security should almost always be one of your top priority, even more so on a live network.