locked
Network Connection Limited or no Connectivity RRS feed

  • Question

  • Century Link supplied us with new ZyXel PK5001Z modem\router. The router requires PPPoE login with no static IP.We have Windows SBS 2003 Server SP2 with 2 NICS. There is no router between the PK5001Z and the server. The PK5001Z is plugged directly into the server. I changed the IP on the PK5001Z from 192.168.0.1 to 192.168.1.1 and put the device in "Transparent Bridge" mode. At the server I accesssed "Connect to the Internet" and set the Connection to "Broadband". I chose "A connection that requires a user name and password (PPPoE)". Clicked "New". PPPoe Connection name is "Small Business Broadband Connection". I entered my login credentials (user name & password) and clicked "next". Connection name is "Server Local Area Connection" IP 10.100.10.1  255.255.0.0

    I tried to "Enable Firewall" but it failed. I tried to "Disable Firewall" and failed. I tried "Do not change Firewall configuration" but that failed too. So, I just continued... I followed all of the prompts regarding Exchange. Everything passed exept the Firewall.

    Server now has "Limited or no Connection" on the "Network Connection" in network connections. The "Server Local Area Connection" is connected.

    Workstations have internet access with a gateway of 10.100.10.1

    Here is my the Servers IPCONFIG:

    PPP adapter RAS Server (Dial In) Interface: 10.100.100.9 255.255.255.255 No Gateway is listed.

    Ethernet Adapter Network Connection: 169.254.94.86 255.255.0.0 No Gateway is listed.

    Ethernet adapter Server Local Area Connnection: 10.100.10.1 255.255.0.0 No Gateway is listed.

    PPP adapter Small Business Broadband Connection: 174.124.13.214 255.255.255.255 Gateway 174.124.13.1. 

    I don't understand how we can access the Internet at all nor where I went wrong. Can someone please provide guidance?

    Thursday, November 15, 2012 1:23 PM

Answers

  • Hi:

    This challange is hard to diagnose without knowing more about the ISP device, but I am going to assume from your comments that either it can be a router or you can add on between the SBS and the ISP device.  First you are correct to use SBS 2003 with 2 network cards so long as your edge device is not a UTM class firewall.  Proceeding from there, the edge device has got to have an ISP provided IP on the WAN side, either Static or DHCP assigned.  If you prefer to have the ISP device on bridge/pass thru mode, then the SBS internet nic should have the ISP provided IP.  I would prefer to have any router, even a home class entry level one between the SBS and the ISP, simply to add another layer of NAT and to give me a device I can control.  But in any case, the WAN side should be the ISP numbers, the LAN side should be different.

    If you have a router, I do it this way:  lan nic (1):  192.168.16.2, internet NIC (2) 192.168.61.2.  I do this just becuuse it is easy to remember.  So on the LAN side, the SBS has a static of 16.2 and is the DHCP server for the stations.  On the WAN side, the SBS is 61.2 and the router is 61.1 on the LAN side and the IP of the ISP on the WAN side.  But without a router the SBS nic2 must have the IP assigned by the ISP, which I don't like becuase it is too close to my network.  Prefer the extra NAT between the SBS and the ISP that a router gives me.

    After that is straightened out...  

    ISP - (router) - SBS Nic1 - SBS Nic2- switch - stations.

    All addresses, except the ISP assigned one, should be 255.255.255.0 class C networks.  SBS expects them to be and there is no reason to fight it.

    Now carefully run the Connect to the Internet Wizard, putting in the ip address in the blocks provided.  If you have other questions about the wizard, please ask.

    Let us know the result.


    Larry Struckmeyer[SBS-MVP]

    • Proposed as answer by Andy Qi Monday, November 19, 2012 7:10 AM
    • Marked as answer by Andy Qi Tuesday, December 4, 2012 8:40 AM
    Friday, November 16, 2012 11:43 AM
  • Hi:

    Don't you just love ISP support?  The tell you it will work, should work and when you tell them it isn't they disover it dosen't becuase of some flaw in their branch of ethernet.  <g> 

    If you have internet access from the SBS and the stations, and if RWW works from outside, I would pronounce it "fixed", and go back to your regularly assigned duties.  It does concern me a bit that nic2 (internet) has a static assigned ip to match the isp provided settings, but if they can confirm that it is indeed static and not DHCP you should be fine.  BTW, isp DHCP addresses change rarely becuase the device they are assigned to is seldom offline long enought to lose its lease.  But isps can and do change their settings.

    If you get a router, you can simply move the isp assigned settings up stream and create a mini network between the SBS nic2 and the router.  If you get a real UTM firewall you can stay as you are, or go to one nic in the SBS and use the firewall as the gateway to the internet.  That is:

    internet - firewall - switch - everything else.

    This is actually a more secure arrangement than SBS with two nics.  One could argue that SBS with two nics and a UTM firewall would be even more secure, but since SBS after 2003 will not work with two nics, you will have to change it at some point.


    Larry Struckmeyer[SBS-MVP]

    • Marked as answer by Andy Qi Tuesday, December 4, 2012 8:40 AM
    Tuesday, November 20, 2012 1:54 PM
  • Then that isp device is acting as a router.  If the ISP public address is on the WAN side of the isp device, and you have a private ip range, which 192.168. is, then you need to 1.  Turn off the DHCP server on router, and 2.  Gain access to the router to forward the SBS required ports to the internet nic address of the server (192.168.1.2). 

    You can test by several interenet sites that show the ports "opened" when you connect to them from the SBS.

    Also, I would change the subnet on the internet side to NOT 192.168.1.x or 0.x as those are frequently used by home routers and will make for unreliable VPN connections, should you ever need them.


    Larry Struckmeyer[SBS-MVP]

    • Marked as answer by Andy Qi Tuesday, December 4, 2012 8:41 AM
    Tuesday, November 20, 2012 3:19 PM
  • The ISP device, in original config (and maybe now, I skimmed) is acting as a 'simple NAT router'.

    A simple NAT router in front of SBS is fine, though many of us would refer 'a more advanced firewall device'.

    Take the ISP device out of 'bridged mode' (if you haven't already) and let it do what it does, connect to internet and 'protect' you via NAT.

    Set the 'external' NIC on SBS to be in an appropriate subnet to talk to the device.

    'forward' 25/443/4125 fro the device to SBS 'external IP'.

    Run the CEICW, choosing to connect via router.

    job done. Feet up, stogey, beer.

    The device, as a simple NAT router, most probably offers minimal reporting or 'attack detection' but THAT's FINE, the NAT protects the server by refusing all connections to ports that are not forwarded to SBS.

    Again, many of us would prefer 'a more capable firewall device', but OTOH I've seen SBS implementations with $5K 'more capable firewall devices' that are configured to act as _nothing more_ than 'simple NAT routers'. _NONE_ of the advanced facilities being taken advantage of.

    My current 'favourite improvement'... take an old PC and install UnTangle on it, in bridged mode.

    Though it must be realised that I'd also BEG the client to allow me to get rid of 'this old piece of rubbish' (SBS03 is _very near_ End of Life).

    • Marked as answer by Andy Qi Tuesday, December 4, 2012 8:41 AM
    Wednesday, November 21, 2012 9:43 AM
  • Larry, After a hair pulling evening I believe all issues are ironed out. I really appreciate your input. Here is what happened: I re-ran CEICW and pointed to a "Router with and IP", chose "enable the firewall". Got an error message on the firewall. Continued and finished. Everything including workstations worked fine but still no remote access via wireless laptop. Stopped the "RRAS" service. Still no remote access. Grasping at straws, I read that stopping the RRAS service will not resolve the firewall issue, so I disabled RRAS via computer management. Boom, I was able to turn off and on the Windows Firewall in the server and I gained remote access. Then, all of a sudden I lost all workstation and wireless connection to the internet but still had it at the server. After freaking out, I reviewed the services and observed that the HTTP SSL & WWW Publishing services had stopped. Tried to manually restart the HTTP SSL service but received an error message stating that the file is missing. Tried to start WWW Publishing but got an error stating that it couldn't start because of a dependancy. Freaked out again! Reran CEICW, pointed to a "Router with an IP' chose enable firewall but this time all firewall options regarding permissions were de-selected. So, I selected most all including Terminal Services. Continued on making no other changes at each promt. Again, I received an error on the firewall and continued. Still no workstation connectivity to the internet. Freaking out thinking that I really broke things by disabling RRAS, I rebooted the server. When the server came up, I got an error saying that "one or more services didn't start". Reviewed the services. ICS service was the one that failed. WWW Publishing and HTTP SSL were started. RRAS returned to the "Services and Applications" and was enabled. Could the firewall error I received in CEICW been misleading???? All workstation and wireless were able to access the internet and most of all I was able to gain remote access. I verified this by remoting to home and then from home remoting into the server. All was well. Decided not to do any more tinkering and leave well enough alone. I will make the additional changes that have been suggested once I gain my confidence back. I do not know if the above was relevant or just a quirk but perhaps I should just quit IT while I'm ahead. I sincerely appreciate your help, guidance and paitence!  Tim


    T. Frederick

    • Marked as answer by Andy Qi Tuesday, December 4, 2012 8:40 AM
    Wednesday, November 21, 2012 6:11 PM

All replies

  • Hi:

    This challange is hard to diagnose without knowing more about the ISP device, but I am going to assume from your comments that either it can be a router or you can add on between the SBS and the ISP device.  First you are correct to use SBS 2003 with 2 network cards so long as your edge device is not a UTM class firewall.  Proceeding from there, the edge device has got to have an ISP provided IP on the WAN side, either Static or DHCP assigned.  If you prefer to have the ISP device on bridge/pass thru mode, then the SBS internet nic should have the ISP provided IP.  I would prefer to have any router, even a home class entry level one between the SBS and the ISP, simply to add another layer of NAT and to give me a device I can control.  But in any case, the WAN side should be the ISP numbers, the LAN side should be different.

    If you have a router, I do it this way:  lan nic (1):  192.168.16.2, internet NIC (2) 192.168.61.2.  I do this just becuuse it is easy to remember.  So on the LAN side, the SBS has a static of 16.2 and is the DHCP server for the stations.  On the WAN side, the SBS is 61.2 and the router is 61.1 on the LAN side and the IP of the ISP on the WAN side.  But without a router the SBS nic2 must have the IP assigned by the ISP, which I don't like becuase it is too close to my network.  Prefer the extra NAT between the SBS and the ISP that a router gives me.

    After that is straightened out...  

    ISP - (router) - SBS Nic1 - SBS Nic2- switch - stations.

    All addresses, except the ISP assigned one, should be 255.255.255.0 class C networks.  SBS expects them to be and there is no reason to fight it.

    Now carefully run the Connect to the Internet Wizard, putting in the ip address in the blocks provided.  If you have other questions about the wizard, please ask.

    Let us know the result.


    Larry Struckmeyer[SBS-MVP]

    • Proposed as answer by Andy Qi Monday, November 19, 2012 7:10 AM
    • Marked as answer by Andy Qi Tuesday, December 4, 2012 8:40 AM
    Friday, November 16, 2012 11:43 AM
  • If the server is plugged directly into the modem, with no switch, then it might be as simple as you needing a crossover cat5 cable rather than a normal cat5 cable. Try with a switch in the middle to rule that out.

    Jim

    Friday, November 16, 2012 11:45 AM
  • Larry, Thank for the input and your time!. We lost all internet over the weekend! I've contacted the ISP (CenturyLink) They have now told me that we have static IP of 69.179.81.49 255.255.255.255 no gateway. They said that when the server is set to PPPoE it should pull this IP info in automatically. They also said that there were additional steps required to set the modem into bridge mode other than just choosing "Transparent Bridge".  I intend on resetting the modem back to the defaults and following the CenturyLink provided instructions for bridging. Then following the instructions http://support.microsoft.com/kb/825763 configuring 2 network adapters page 2 - 7 and inputing the provided IP info (although I'm confused about the 'no gateway" deal). Then follow the CEICW option 2 "Two network adapters - direct connection to broadband with PPPoE" on pages 10-12. Last time I did this I got Firewall errors???  We'll see what happens. I won't be doing this until late this afternoon so if you've got any warnings or other inputs, I'd greatly appreciate them! 

    T. Frederick

    Monday, November 19, 2012 5:35 PM
  • Although I still cannot tell about the ISP furnished device, you should be fine.  I still do not like the public ip on my servers.  Even in the ISA days, I used a $50 Linksys router between server and ISP device.


    Larry Struckmeyer[SBS-MVP]

    Monday, November 19, 2012 6:25 PM
  • Larry, I have planted the seed regarding purchasing a router to put between the modem and server. Here is an update: After an 1.45hr on the phone with CenturyLink we discovered that the modem was not authenicating at CenturyLink. Apparently it was not automatically pulling in our connectin information. We finally got the modem\router (ZyXel PK2001K) to authenicate by manually setting up the PPPoE Connection. We then bridged the modem and verified that we could connect via a PPPoE connection by setting up a PPPoE connection on my laptop. Then we moved the bridged router to the Server and I ran the CEICW Internet Connection Wizard. At the Firewall prompt I chose "Don't change the firewall settings" but once again I received a "non-specific" firewall error message. After continuing on and completing the wizard, we could not connect. I reset the Modem\Router and manually set up the PPPoE connection information in the router and verified that I could connect via my laptop. I then moved the router back to the server and ran the CEICW Internet Connection Wizard and chose "Broadband Connection". The server then connected to the Internet. I set the IP on the "Network Connection" to static so that the router would not change it via DHCP. It's working so far. Could the issue with the PPPoE connection at the server be related to a firewall issue? Any input would be of value and very much appreciated as you seem to be my only resource. Thank you for your time and patience.

    T. Frederick

    Tuesday, November 20, 2012 1:20 PM
  • Hi:

    Don't you just love ISP support?  The tell you it will work, should work and when you tell them it isn't they disover it dosen't becuase of some flaw in their branch of ethernet.  <g> 

    If you have internet access from the SBS and the stations, and if RWW works from outside, I would pronounce it "fixed", and go back to your regularly assigned duties.  It does concern me a bit that nic2 (internet) has a static assigned ip to match the isp provided settings, but if they can confirm that it is indeed static and not DHCP you should be fine.  BTW, isp DHCP addresses change rarely becuase the device they are assigned to is seldom offline long enought to lose its lease.  But isps can and do change their settings.

    If you get a router, you can simply move the isp assigned settings up stream and create a mini network between the SBS nic2 and the router.  If you get a real UTM firewall you can stay as you are, or go to one nic in the SBS and use the firewall as the gateway to the internet.  That is:

    internet - firewall - switch - everything else.

    This is actually a more secure arrangement than SBS with two nics.  One could argue that SBS with two nics and a UTM firewall would be even more secure, but since SBS after 2003 will not work with two nics, you will have to change it at some point.


    Larry Struckmeyer[SBS-MVP]

    • Marked as answer by Andy Qi Tuesday, December 4, 2012 8:40 AM
    Tuesday, November 20, 2012 1:54 PM
  • Larry, The modem/routers IP is 192.168.1.1. The IP I staticly assigned to nic2(internet) is not the ISP provided IP. I merely assigned it 192.168.1.2 255.255.255.0 with the gateway of 192.168.1.1 with the thinking that since DHCP is turned on in that router, it may arbitrarily change the IP of the NIC. I can certianly choose obtain IP automatically if that's more logical.

    My problem now is since I ran the CEICW connect to broadband option I now have a firewall issue. I cannot connect remotely and desperatly need to in the future. When I try to open the Windows Firewall I receive: Windows firewall cannot run because another program or service is running that might use the network address translation componennt (ipnat.sys).  I'm reading that this is related to the way I ran CEICW? Do you know the steps in resolving this issue? One thing after another....


    T. Frederick

    Tuesday, November 20, 2012 3:01 PM
  • Then that isp device is acting as a router.  If the ISP public address is on the WAN side of the isp device, and you have a private ip range, which 192.168. is, then you need to 1.  Turn off the DHCP server on router, and 2.  Gain access to the router to forward the SBS required ports to the internet nic address of the server (192.168.1.2). 

    You can test by several interenet sites that show the ports "opened" when you connect to them from the SBS.

    Also, I would change the subnet on the internet side to NOT 192.168.1.x or 0.x as those are frequently used by home routers and will make for unreliable VPN connections, should you ever need them.


    Larry Struckmeyer[SBS-MVP]

    • Marked as answer by Andy Qi Tuesday, December 4, 2012 8:41 AM
    Tuesday, November 20, 2012 3:19 PM
  • So, You don't think that the Connect to the Internet wizard in CEICW caused this firewall issue? I'm getting this from your post:

    http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/thread/c8c4459f-f67f-4822-91c0-57361ee2a591

    And, if it is, do you know how to disable it?


    T. Frederick

    Tuesday, November 20, 2012 5:08 PM
  • Sorry, I missed your concern about the firewall.  I think we have determined you do have a router?  In which case you should re-run the wizard and select router.  That post also discusses issues with RRAS, but I don't seen anything in your comments that would suggest that is your issue.

    Larry Struckmeyer[SBS-MVP]

    Tuesday, November 20, 2012 5:24 PM
  • The ISP device, in original config (and maybe now, I skimmed) is acting as a 'simple NAT router'.

    A simple NAT router in front of SBS is fine, though many of us would refer 'a more advanced firewall device'.

    Take the ISP device out of 'bridged mode' (if you haven't already) and let it do what it does, connect to internet and 'protect' you via NAT.

    Set the 'external' NIC on SBS to be in an appropriate subnet to talk to the device.

    'forward' 25/443/4125 fro the device to SBS 'external IP'.

    Run the CEICW, choosing to connect via router.

    job done. Feet up, stogey, beer.

    The device, as a simple NAT router, most probably offers minimal reporting or 'attack detection' but THAT's FINE, the NAT protects the server by refusing all connections to ports that are not forwarded to SBS.

    Again, many of us would prefer 'a more capable firewall device', but OTOH I've seen SBS implementations with $5K 'more capable firewall devices' that are configured to act as _nothing more_ than 'simple NAT routers'. _NONE_ of the advanced facilities being taken advantage of.

    My current 'favourite improvement'... take an old PC and install UnTangle on it, in bridged mode.

    Though it must be realised that I'd also BEG the client to allow me to get rid of 'this old piece of rubbish' (SBS03 is _very near_ End of Life).

    • Marked as answer by Andy Qi Tuesday, December 4, 2012 8:41 AM
    Wednesday, November 21, 2012 9:43 AM
  • Thank you very much!

    T. Frederick

    Wednesday, November 21, 2012 5:39 PM
  • Larry, After a hair pulling evening I believe all issues are ironed out. I really appreciate your input. Here is what happened: I re-ran CEICW and pointed to a "Router with and IP", chose "enable the firewall". Got an error message on the firewall. Continued and finished. Everything including workstations worked fine but still no remote access via wireless laptop. Stopped the "RRAS" service. Still no remote access. Grasping at straws, I read that stopping the RRAS service will not resolve the firewall issue, so I disabled RRAS via computer management. Boom, I was able to turn off and on the Windows Firewall in the server and I gained remote access. Then, all of a sudden I lost all workstation and wireless connection to the internet but still had it at the server. After freaking out, I reviewed the services and observed that the HTTP SSL & WWW Publishing services had stopped. Tried to manually restart the HTTP SSL service but received an error message stating that the file is missing. Tried to start WWW Publishing but got an error stating that it couldn't start because of a dependancy. Freaked out again! Reran CEICW, pointed to a "Router with an IP' chose enable firewall but this time all firewall options regarding permissions were de-selected. So, I selected most all including Terminal Services. Continued on making no other changes at each promt. Again, I received an error on the firewall and continued. Still no workstation connectivity to the internet. Freaking out thinking that I really broke things by disabling RRAS, I rebooted the server. When the server came up, I got an error saying that "one or more services didn't start". Reviewed the services. ICS service was the one that failed. WWW Publishing and HTTP SSL were started. RRAS returned to the "Services and Applications" and was enabled. Could the firewall error I received in CEICW been misleading???? All workstation and wireless were able to access the internet and most of all I was able to gain remote access. I verified this by remoting to home and then from home remoting into the server. All was well. Decided not to do any more tinkering and leave well enough alone. I will make the additional changes that have been suggested once I gain my confidence back. I do not know if the above was relevant or just a quirk but perhaps I should just quit IT while I'm ahead. I sincerely appreciate your help, guidance and paitence!  Tim


    T. Frederick

    • Marked as answer by Andy Qi Tuesday, December 4, 2012 8:40 AM
    Wednesday, November 21, 2012 6:11 PM