since June 30, 2000
)
Now, I wish to state for the record that firewalls, regardless of make, are non-trival devices. I am rather amazed at how many people will install a firewall (often for money), and say "You are now secure". That is no more true than saying your house is secure because you have locks on the door. If you fail to USE those locks properly, or leave a window wide open or back door wide open, your house is NOT secure. I often wonder if offering advice like this does more harm than good. Still, it is in my nature to offer it, so here it is... However, PLEASE be assured that installing a firewall does NOT automatically make you "safe"!!
Background: The user had an established network in-house, which they claimed "worked". They had added a DSL connection and GNATbox Light to tie all their machines inside to the DSL connection. This didn't work. I've edited out a lot of the REALLY user-specific stuff, but some editing has yet to be done here... This user had been horribly inprecise about their problems, so I finally said DO IT THIS WAY. And they were never heard from again. As I said, I'm taking that as success.
Hopefully, soon I can clean this up in to a REALLY generic TCP/IP
crash-intro.
VERY basic (and incomplete) IP lesson:
======================================
In simple IP networking, there are three critically important pieces
of info for each computer on the network, and one really important
thing.
1) IP Address.
2) Subnet mask
3) Gateway
4) DNS server(s) (This is optional, actually, but
most user-stuff
will need it)
Screw up ANY of these numbers, things probably won't work.
You don't
get to guess any of these things. You get to choose some,
but you
don't get to guess.
All nodes must have unique IP addresses. All nodes on a subnet
must
have the same subnet mask. Typically all nodes in a subnet
will have
the same gateway, and they will in your case. The gateway
must be on
the same subnet as the node it is the gateway for.
All the nodes physically on the same subnet should have the same
network number, something that is determined by combining the IP
address of a node and the subnet mask in a way I don't feel like
explaining now. If you don't understand this, just use these
numbers
for your internal systems:
WS IP addresses: 192.168.1.xxx, where
xxx is 2 through 254
GB IP addresse: 192.168.1.1
WS Gateway:
192.168.1.1
Internal subnet mask: 255.255.255.0
DNS server(s) as specified by ISP
GB Gateway as specified by ISP.
Anytime a node wishes to talk to another node, the first thing it
needs to know is if the other node is on the same subnetwork as
it
is. It calculates this by comparing the IP address and the
subnet
mask. If the desired node is on the same subnet, it sends
the message
right to that node. Very simple. This is how your previous
network
was probably working, assuming it was using TCP/IP (this is a big
assumption, BTW). You never had to leave the subnet.
If the desired node is on a different subnet, the message is sent
to
the gateway, and it figures out what to do with the packet, and
very
often, that consists of just passing it along to the next gateway.
Every simple node in an IP network goes through this same process.
Routers may get fancier, and figure out which of MANY different
directions to send a packet, but that's beyond the scope of this...
The gateway for your internal machines is the GNATBox's PRO interface.
The gateway for the GNATbox is the one specified by your ISP.
Hopefully, it is very clear these are NOT the same gateway address.
If not clear, start over.
(The DNS servers are used to determine the numeric address of a
written name (i.e., www.gnatbox.com). GNATBox doesn't _need_
your
DNS info, but it can use it if you provide it.)
IP Troubleshooting
==================
This isn't a cast-in-stone troubleshooting process for all situations,
with experience, you customize it based on what you think might
be
wrong. However, in your case, start with step one, and don't move
on
until step one is working.
1) Inside your office, can you ping from workstation to workstation?
I don't care in the slightest if you can see each other in Network
Neighborhood. That doesn't tell you a thing about what protocol
is in
use (Windows supports several), and doesn't tell you squat about
TCP/IP. If your workstations can't ping each other, don't
even turn
on your GB until you get this fixed.
2) From the GB, can you ping your ISP's specified gateway?
If not, you will not get out of your office.
2a) From the GB can you ping a workstation?
If not, you didn't resolve the problem on quesiton
2, or you have
a bad subnet mask.
These two steps verify that the proper NICs are attached to the
proper
places. If I was convinved the internal IP network was properly
configured, this would be the first step, actually, but I'm not
convinced of that. This is where you get to swap the cables
and try
again, if need be. I don't know about your DSL box, but my
cable
modem needs to be powered down and back up if you change NICs...yours
might, too.
3) Can your workstations ping the GB? Just try for the PRO
NIC. If
not, you have a very basic problem with either your IP addressing
on
the GB or your workstations. If you passed step 2, this is
really
just a double-check.
4) From a workstation, ping the EXT interface on the GB. This
tests
the gateway settings on your workstation. If this test fails
but you
got this far, you messed up the gateway address on your workstations,
for they didn't know where to send the off-subnet traffic.
5) If you got this far, you should be able to ping the ISP-specified
gateway from a workstation. This tests the routing of the
GNATBox.
Actually, GB works as a product, and your install was tested in
step
2, so more accurately, it tests your system to see if routing is
possible.
6) Ping your DNS server from a workstation. Typically (not
universally, of course) the ISP's DNS server is on a different
subnet
than you are. This provides a test that the GB's gateway
address is
set properly. If this doesn't work, you have a problem with
the
gateway address on the GB.
7) Ping a DNS name from a workstation (I normally use novell.com,
because it "always" responds if your stuff is working. You
should
know in advance what does and does not work. gnatbox.com
does not
respond to pings, www.gnatbox.com does.) If this works, you
are
ready to start surfing! Enjoy. If this is where problems
occur,
your workstations have invalid DNS servers specified.
Hope this helps!
Nick.
----------------------------------------------
Holland Consulting home
page
Contact Holland Consulting
since June 30, 2000
(C)opyright 2000, Nick Holland, Holland Consulting