Troubleshooting SOHO Network and Firewall Issues

By Ronald Pacchiano | Posted April 06, 2004

I'm having sort of a strange problem that I hope you can help with. I have 4 computers connected to an 8-port switch and a broadband router. Each of these computers is capable of accessing the Internet. This leads me to believe that all of my hardware is functioning correctly.

However, only some of the computers are capable of sharing data, and then only with some computers and not others. For example, the PCs connected to ports 1 and 3 of the local area network router can see and share data just fine, yet they can't see the two PCs connected to ports 2 and 4.

Conversely, the PCs on ports 2 and 4 can communicate with each other just fine, but not with the other two PCs. I can't understand it. I've tried using different cables and even changed the specific ports these computers where connected to. So far nothing has worked. Do you have any idea what the problem could be?

There are a number of possible scenarios that could be causing your problem, but without some additional detail it would be difficult to draw any conclusions. However from the information you did provide, I can offer some general suggestions that you may find helpful.

For starters, since all of your systems seem to be able to access the internet without any problems, I would think it's safe to assume that the problem doesn't lie with your hardware. The only exception to that might be if your switch has VLAN features (define) enabled. However, VLAN support isn't normally found in small office or home office routers, so I doubt that's the cause of your problem.

Assuming there aren't any software firewall obstacles preventing the computers from sharing data with each other, more than likely the problem is going to be due to an improperly configured network setting. It sounds as though your router is not using DHCP (define) to manage IP address (define) assignments, so I have to assume that all of your workstations are using a static IP.

You should also check your TCP/IP (define) properties to verify that these four workstations are all using the same subnet mask. Typically, your router would be configured with a class C subnet mask of 255.255.255.0. If, instead of this subnet mask, you accidentally configured two of your workstations with a class B address of 255.255.0.0, you would still be able to access the Internet, but you wouldn't be able to see the other workstations on your network.

The reason for this is that even with an incorrect subnet mask, the Internet Gateway address could still be correct. So unknown data packets get forwarded to the gateway like normal. However, the wrong subnet mask would cause your workstations to be segmented differently from the class C machines, thus making them inaccessible.

If that doesn't work, you should check that all of your workstations are members of a common workgroup. Different workgroup names are a common problem in peer-to-peer networks and would make it difficult to access the other PCs.

Depending on which operating system these PCs are running, your problem may have more to do with not being able to access a shared folder as opposed to being able to "ping" a PC as I originally assumed. In this situation the problem would have more to do with a lack of user rights and security associations.

Windows 98 PCs, for example, don't have as stringent security concerns to deal with, whereas Windows NT, 2000, and XP workstations do. So you might want to take a closer look at the rights and group settings of the specific folders you're trying to access.

We are using a DSL line in our office for Internet conductivity. The DSL line is connected to a Windows XP PC running ICF (define). Recently we decided we would like to have access to the network from outside the office. So we set up a VPN (define) connection using a PPTP (define) server. The VPN appears to be configured correctly, but we can't seem to gain access to the network. I tried disabling ICF and to my surprise I discovered that the VPN server was now accessible.

This leads me to believe that there is an incompatibility between our PPTP server and Windows XP. I don't feel comfortable having an open Internet connection without a firewall, but it's important that we have access to the VPN. Do you have any suggestions as to what I should do next? Any help would be appreciated.

In your question you failed to mention what product you were using for VPN access, so I can't really tell you if there is an incompatibility between that and Windows XP's ICF. However, from the way you described the problem I think that your situation has more to do with Windows XP's Internet Connection Sharing (define) and the Internet Connection Firewall.

The role of the firewall is to protect your network from unauthorized access. To do this the firewall monitors all traffic coming into your network. All Internet traffic is based on TCP/IP. TCP traffic (define) travels through your network on ports. Different services travel along different ports.

For example, standard Internet traffic or HTTP (define) uses port 80, FTP (define) port 21, and Telnet (define) port 23. These ports have been pre-defined in ICF to allow the respective types of traffic to safely pass into the network. This type of configuration is typically referred to as a "Rule."

So if you have a PPTP server on your internal network, you'll need to manually configure Windows XP ICS to map the PPTP ports to forward the VPN traffic on to the PPTP server. This will allow the incoming VPN connection to pass through the Windows XP ICS computer.

This is done by adding a Service to the ICS Services List. The Services List contains information on the service type, the related TCP or UCP ports, and the IP address of the host system.

To configure ICS to pass PPTP traffic you first need to know which ports the traffic is going to be passed on. A typical PPTP connection is composed of two types of traffic. The first is PPTP traffic, which utilizes TCP port 1723 and is used to establish and maintain the connection. The second is Generic Route Encapsulation (or GRE), which utilizes port 47 and is used to encapsulate the actual data that is passed between the two endpoints. If you were using IPSec (define) as opposed to PPTP, then the port numbers would change to 500, 50, and 51.

I would like to offer you one last piece of advice. Many of today's applications need to access multiple ports in order to operate correctly. Some of these ports can be very hard to identify. And applications such as online gaming, video-conferencing, and remote access often dynamically assign port usage, making it exceedingly difficult to properly configure ICF to work with them.

As a result, a simpler solution may be to invest in a hardware-based router. Most of today's routers have predefined rules that take into account the unique requirements of many of these applications. This makes hardware firewalls tremendously easier to configure successfully.

If you think you're going to be implementing any of these other applications in the future, I would seriously consider investing in one of these and forgoing ICF. These routers can typically be found for less then $100, and many of them have VPN services built right in.

Adapted from PracticalyNetworked.com, part of the EarthWeb.com Network.

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date