TCP/IP Concepts and Troubleshooting

On March 26, 2000, I posted the following to the GB-Users mail list.  It was in response to someone who was having trouble getting their GNATbox firewall (a very good, very cost effective industrial strength firewall) configured.  We never heard back from that user, I'm taking that as meaning my writing was superb and resolved all their problems.  (Yes, I have one heck of an ego.)

Now, I wish to state for the record that firewalls, regardless of make, are non-trival devices.  I am rather amazed at how many people will install a firewall (often for money), and say "You are now secure".  That is no more true than saying your house is secure because you have locks on the door.  If you fail to USE those locks properly, or leave a window wide open or back door wide open, your house is NOT secure.  I often wonder if offering advice like this does more harm than good.  Still, it is in my nature to offer it, so here it is...  However, PLEASE be assured that installing a firewall does NOT automatically make you "safe"!!

Background:  The user had an established network in-house, which they claimed "worked".  They had added a DSL connection and GNATbox Light to tie all their machines inside to the DSL connection.  This didn't work.  I've edited out a lot of the REALLY user-specific stuff, but some editing has yet to be done here...  This user had been horribly inprecise about their problems, so I finally said DO IT THIS WAY.  And they were never heard from again.  As I said, I'm taking that as success.

Hopefully, soon I can clean this up in to a REALLY generic TCP/IP crash-intro.

VERY basic (and incomplete) IP lesson:
In simple IP networking, there are three critically important pieces
of info for each computer on the network, and one really important
  1) IP Address.
  2) Subnet mask
  3) Gateway
  4) DNS server(s)  (This is optional, actually, but most user-stuff
will need it)
Screw up ANY of these numbers, things probably won't work.  You don't
get to guess any of these things.  You get to choose some, but you
don't get to guess.

All nodes must have unique IP addresses.  All nodes on a subnet must
have the same subnet mask.  Typically all nodes in a subnet will have
the same gateway, and they will in your case.  The gateway must be on
the same subnet as the node it is the gateway for.

All the nodes physically on the same subnet should have the same
network number, something that is determined by combining the IP
address of a node and the subnet mask in a way I don't feel like
explaining now.  If you don't understand this, just use these numbers
for your internal systems:
     WS IP addresses:, where xxx is 2 through 254
     GB IP addresse:
     WS Gateway:
     Internal subnet mask:
     DNS server(s) as specified by ISP
     GB Gateway as specified by ISP.

Anytime a node wishes to talk to another node, the first thing it
needs to know is if the other node is on the same subnetwork as it
is.  It calculates this by comparing the IP address and the subnet
mask.  If the desired node is on the same subnet, it sends the message
right to that node.  Very simple.  This is how your previous network
was probably working, assuming it was using TCP/IP (this is a big
assumption, BTW).  You never had to leave the subnet.

If the desired node is on a different subnet, the message is sent to
the gateway, and it figures out what to do with the packet, and very
often, that consists of just passing it along to the next gateway.
Every simple node in an IP network goes through this same process.
Routers may get fancier, and figure out which of MANY different
directions to send a packet, but that's beyond the scope of this...

The gateway for your internal machines is the GNATBox's PRO interface.
The gateway for the GNATbox is the one specified by your ISP.
Hopefully, it is very clear these are NOT the same gateway address.
If not clear, start over.

(The DNS servers are used to determine the numeric address of a
written name (i.e.,  GNATBox doesn't _need_ your
DNS info, but it can use it if you provide it.)

IP Troubleshooting
This isn't a cast-in-stone troubleshooting process for all situations,
with experience, you customize it based on what you think might be
wrong. However, in your case, start with step one, and don't move on
until step one is working.

1) Inside your office, can you ping from workstation to workstation?
I don't care in the slightest if you can see each other in Network
Neighborhood.  That doesn't tell you a thing about what protocol is in
use (Windows supports several), and doesn't tell you squat about
TCP/IP.  If your workstations can't ping each other, don't even turn
on your GB until you get this fixed.

2) From the GB, can you ping your ISP's specified gateway?
    If not, you will not get out of your office.
2a) From the GB can you ping a workstation?
    If not, you didn't resolve the problem on quesiton 2, or you have
a bad subnet mask.
These two steps verify that the proper NICs are attached to the proper
places.  If I was convinved the internal IP network was properly
configured, this would be the first step, actually, but I'm not
convinced of that.  This is where you get to swap the cables and try
again, if need be.  I don't know about your DSL box, but my cable
modem needs to be powered down and back up if you change NICs...yours
might, too.

3) Can your workstations ping the GB?  Just try for the PRO NIC.  If
not, you have a very basic problem with either your IP addressing on
the GB or your workstations.  If you passed step 2, this is really
just a double-check.

4) From a workstation, ping the EXT interface on the GB.  This tests
the gateway settings on your workstation.  If this test fails but you
got this far, you messed up the gateway address on your workstations,
for they didn't know where to send the off-subnet traffic.

5) If you got this far, you should be able to ping the ISP-specified
gateway from a workstation.  This tests the routing of the GNATBox.
Actually, GB works as a product, and your install was tested in step
2, so more accurately, it tests your system to see if routing is

6) Ping your DNS server from a workstation.  Typically (not
universally, of course) the ISP's DNS server is on a different subnet
than you are.  This provides a test that the GB's gateway address is
set properly.  If this doesn't work, you have a problem with the
gateway address on the GB.

7) Ping a DNS name from a workstation (I normally use,
because it "always" responds if your stuff is working.  You should
know in advance what does and does not work. does not
respond to pings, does.)  If this works, you are
ready to start surfing!  Enjoy.  If this is where problems occur,
your workstations have invalid DNS servers specified.

Hope this helps!


Holland Consulting home page
Contact Holland Consulting

since June 30, 2000

(C)opyright  2000, Nick Holland, Holland Consulting

Published: 6/30/2000
Revised: 6/30/2000