Anyone have any idea why one of my machines (XP Pro) stubbornly refuses to recognise DHCP IP assignations? Doesn't make any difference whether the DHCP server is Windows or Linux.

I've changed cables, the network card and even done a repair installation of XP - nada, keeps defaulting to APIPA.

It's driving me nuts!

[Two strings walk into a bar and one says, "I'll have a @#$%$%%^ *+_@#$%%*()(<>?^!"
"You'll have to excuse him" says the other, "He's not null terminated..."]

Suggest you take a look at the Services and see if the DHCP Client Service is starting up or has been disabled.

You'll know this but just for completeness:

Start>Control Panel>Administrative Tools>Services

Thanks for the suggestion fobs. The service IS running, though I admit to my shame that I hadn't checked that...

Situation is thus:

Machine1 - XP Pro - 2 NICs
Machine2 - XP Pro - 1 NIC
Machine3 - FreeSCO router - 1 NIC

M1 is connected to M3 thru one NIC & picks up a DHCP address (176.16.0.3) as it should and connects to the Internet as it should - no problem.

M2 is connected to M1 with the other NIC thru a switch - but I can only get 'em to see eachother if I just leave it to APIPA or assign static IPs - 192.168.0.1 for M1 and 192.168.0.2 for M2 - BTW no difference if I connect then directly (and I am using a X-over cable for that).

Since M1 has no truoble picking up a DHCP IP when connected to M3 I would have expected M2 to do the same (when I connect them directly as a test) but no joy.

Protocols are TCP/IP + Client for MS Networks + QOS with the addition of File & Print Sharing for the 192.168.0.0/255.255.255.0 network.

Gotta resolve this as M2 is the kid's machine & he wants the latest funnies....

OK :)

XP has a habit of creating a bridge where none is required thus isolating a machine from the rest of the LAN.

Suggest that you look at this in M2 as follows.

Start>Settings>Network Connections

If there is a Bridge, delete it.

Click on the "Repair" option for good measure and see what happens.

Start>Control Panel>Administrative Tools>Services Or you could try Run>"services.msc" (Enter) to open the services management console directly.

Mac

Have to question why you want to connect M2 to M1, why not put the extra nic in your freesco box or even connect the switch to the freesco box and the other 2 computers to the switch . that way you won't have to worry about xp and DHCP as freesco will do it for all.

All ways complicated if you have 2 machines capable of issuing DHCP on the same network.

As an observation the ip 176.16.0.3 seems a little strange I hope it is of your choice as it would have been reccomended to use 192.168.x.x or 10.10.x.x for your internal network and that is what I would have expected to have been issued by Freesco, but totally dependant on your settings and shouldn't effect your problem

Rickity

Mac the Knife,

I am with Rickity on this one. You should have the Firewall machine as your uplink on the Switch and all the rest of the computers plugged into the Switch. You do not want the network to pass though multiple computers, it kills the thoughput. (Especially for the computer at the end of the line.)

Take Care,

Richard

P.S. Start with 192.168.x.x .... then once you have the network up and running, then play with the IP Addresses.

Thanks chaps

172.16.0.0-172.31.255.255 is one of the other IANA agreed blocks for private networks - I chose it because it was less obvious than the 192 block. Should be OK AFAIK but I can try changing it.

Isn't it insecure to have the gateway on the same subnet? For M1 and M2 to see each other you's have to enable File and Printer Sharing which would leave you wide open on the Web!

I s'pose I could always disable F&P sharing on TCP/IP and enable it on IPX/SPX for M1/M2

I'll tinker some more but suspect that XP on M2 is hosed and may require reinstalling from scratch.

All suggestions welcome - thanks again

Ah ha! Success!

1) Did a full reinstall of XP on the kid's PC (M2) - [I think this was what was wrong]
2) Pulled the second NIC on M1 and fed everything thru the switch. You guys were right.
3) Changed the IP addressing to the 190.etc. block (the 176.xxx block SHOULD work - I'll try it again some day)
4) Installed IPX/SPX in M1 & M2 - disabled F&P sharing on TCP/IP and enabled it on IPX/SPX for both. That way folks on the Web can't browse my folders but I can - remember to set an different internal network numbers for IPX/SPX/NetBIOS in the relevant machines if you do this.
5) ZoneAlarm sees it as one big network now (you see what I was trying to do) so I won't trust it generally but WILL trust the address of M2.

Now to reinstall all the fr&^*$ing software!

Many many thanks to all of you for all the suggestions and advice - it really helped me to redefine the problem and fix it. Ain't PPRuNe great!

Mac the Knife,

That is great news! (Now that you have it up and running, you can play with the IP Addresses of your internal network.) ;)

Take Care,

Richard

MAC,

Glad to see you've got it working :ok:

For completeness, as they say, the reason you couldn't get DHCP working from M3 to M2 is that (to oversimplify somewhat) DHCP requires broadcasts to work between client and server, since the client (a) doesn't know the server's IP, and (b) doesn't have an IP address yet for the server to send to -- that's why you are DHCPing in the first place :) . In your original setup, M1 was acting as sort of very basic router -- well, an IP forwarder really -- and broadcasts do not cross routed-network boundaries (that's one of the many reasons that you have routing in the first place.) So the original DHCP broadcast requests were not crossing the "router" that was M1. By putting M2 onto a network that can "see" M3 directly (into the same broadcast domain), you enable M2's DHCP broadcasts to get to M3 and the replies to get back again, if you see what I mean :cool:

I'm not quite sure why (on a quick reading) you need the differing levels of protection for the two systems, but from a quick browse of the FreeSCO site it appears to support multiple interfaces: therefore, as somebody else suggested, put multiple ethernet cards into the freesco box and set up policies to give you the level of access control that you need. This is a sort-of DMZ (de-militarised zone) setup; you'll see many references to DMZs in the security literature. If freescso's worth having at all (and I haven't taken a good look yet -- will try and get a play in over Xmas) then it ought to be able to setup policies to give you the protection you need, without having to resort to running IPX/SPX or other tricks... :hmm:

Please ask further if this was as clear as mud... :ok:

RTFM

Thanks RomeoTango...

First of all the 172.16.0.0/176.31.255.255 block works fine - I think the main problem was that there was something wrong with the network protocols on M2 - I tried clearing out TCP/IP with netsh int ip reset resetlog but no joy - only after reinstalling XP did it work and it worked instantly.

Now a question - according to one source if you have File and Print Sharing bound to TCP/IP on the same subnet that also connects to the Internet that means that any one can browse your shares from the outside - seems logical to my amateur brain - M$ themselves advise against such a setup as insecure. But if you unbind F&PS from TCP/IP then you can't browse your local network.

So one suggestion is unbind File and Print sharing from TCP/IP and install a local protocol like IPX/SPX (or NetBEUI) and bind F&PS to that. This is said to be secure.

I'm stating to realise that networking is horribly complicated.....not sure that I'm smart enough to fathom all it's mysteries

Apologies to the Towers for introducing such an arcane subject, but I've known several ordinary Joe's like me who've tried to get their home networks going with the Internet and gotten themselves in quite a tangle once routers and DSL connections start to come into it. Even Windows native Internet Connection Sharing can be tricky if it doesn't work first time (as I know to my cost in the past). I promise I'll take my questions on the more abstruse aspects of networking to a more approprite Forum in future!

Finally, thanks RTFM for explaining about broadcasts not crossing routed-network boundaries - silly of me not to have realised that.

PS: I think FreeSCO is very much worth having a look at - it really is extremely clever. How they manage to pack so much functionality into a boot stiffy is quite amazing.

PPS: Do I still need Zone Alarm if FreeSCO has it's own firewall?

Mac the Knife,

The only time you are going to see the shares is if you have the computer or printer in the DMZ. As long as you have them behind your hardware firewall, the internet should not be able to see them.

I run several print servers behind my firewalls at work and at home. They cannot be seen or accessed from the net. If you want to run a check of your system's security, run:

Gibson Research Corporation's Shields Up (http://www.grc.com)

Take Care,

Richard

Thanks RomeoTango...

You're welcome :)

Now a question - according to one source if you have File and Print Sharing bound to TCP/IP on the same subnet that also connects to the Internet that means that any one can browse your shares from the outside - seems logical to my amateur brain - M$ themselves advise against such a setup as insecure. But if you unbind F&PS from TCP/IP then you can't browse your local network.

That would depend on your firewall: the point of a firewall is to protect your network services from outside intrusion or to allow you to set your desired policy for what servers and systems are visible and from where.

Binding F&PS to IPX/SPX may well "work" in the sense that IPX/SPX isn't routable across the internet, but it really shouldn't be necessary to indulge in "hacks" like that to get you're security right -- that's what the firewall is for :)

I'm stating to realise that networking is horribly complicated.....not sure that I'm smart enough to fathom all it's mysteries

It's only horribly complicated the way Microsoft choose to bog it up... :suspect:

Even Windows native Internet Connection Sharing can be tricky if it doesn't work first time (as I know to my cost in the past). I promise I'll take my questions on the more abstruse aspects of networking to a more approprite Forum in future!

WCS is a pile of :yuk: Microsoft tried to invent their own way of doing things and it sucked; big time. They were very belated converts to the benefits of IP.
Stick to software that has always been able to do it properly and life will be a lot easier :ok:

Finally, thanks RTFM for explaining about broadcasts not crossing routed-network boundaries - silly of me not to have realised that.

Anytime :cool:

PS: I think FreeSCO is very much worth having a look at - it really is extremely clever. How they manage to pack so much functionality into a boot stiffy is quite amazing.

Am going to have play with it over Xmas -- have been an advocate of www.smoothwall.org (http://www.smoothwall.org/) for some time.

PPS: Do I still need Zone Alarm if FreeSCO has it's own firewall?

There is a very valid point of view which says "defence in depth", i.e. don't reply on a single tool/weapon to protect you. So to that extent, yes. However, I've never been convinced about the merits of trying to "do" security on top off general purpose operating systems -- too easy for a flaw in the underlying OS to invlidate your security software. Coupled with the problems many people seem to report in using Zone Alarm, my personal view would be to learn how to use your dedicated firewall first (you can always come here for help and advice), and see how that does for you. On the Windows front, I've had good results with www.tinysoftware.com (http://www.tinysoftware.com/) in the past.

HTH,

RTFM

Oooooh Kaaay...everything is now copacetic but I've learned one thing that I may as well pass on - ZoneAlarm and routers-on-a-switch don't mix well. I kept getting all sorts of puzzling and inconsistent results, fine one minute and then not the next. Eventually started getting "Ping: Transmit Failed, Error Code 65" error messages which prompted me to search Google (I'd never seen anthing like it before). Most seemed to implicate ZoneAlarm - removed it and all suddenly became smooth sailing.

So the lesson is, as RTFM intimated in his last post, "However, I've never been convinced about the merits of trying to "do" security on top off general purpose operating systems -- too easy for a flaw in the underlying OS to invlidate your security software. Coupled with the problems many people seem to report in using Zone Alarm, my personal view would be to learn how to use your dedicated firewall first...." So I'm off to learn about ipwadfm and ipchains and so on and so forth... And I've removed IPX/SPX...trust and improve your firewall rather than kludge it up. ZoneAlarm seems to be just fine with a direct dialup connection - suggest caution with any other arrangement.

Thanks everyone - it's been a learning experience for me and hopefully any PPRuNers with the same problem will find the answers useful

Just glad to see your sorted out now Mac - perhaps it's an idea to save a thread or a link to it on your own machine once you've reached a successful conclusion??

I know some of you already do this but it is something very useful to pass on.

Regards
rob

Mac,

Glad to hear you've got it sorted :ok: Feel free to post more questions here about firewalling here if you need to :cool:

You might find this link (http://www.faqs.org/docs/Linux-HOWTO/Firewall-HOWTO.html) helpful.