Shift from static to dynamic IP's

[krazyklutzykorean]

Hello, I have recently been trying to make some changes to my home network. I have been using static IP's for the past few years but I would like to change to dynamic IP's in order to make it easier for guests, etc. However, I cannot seem to get internet connection sharing to work correctly with the dynamic IP configuration.

My current network setup has the broadband connection directly connected to one computer, which then is connected to a single switch to which all other computers will connect. The broadband connection has sharing enabled.

Under the static configuration, I gave the office computer (the one with the broadband) a static IP and subnet, then assigned different static IP's to the other computers and used the office computer's IP as the gateway and DNS server. This has been working fine so far.

However, now when I change the office computer's static IP to automatic, as well as the other computers, I can no longer get any internet. The office computer's IP address does not seem to have changed even though it is on automatic. ipconfig /renew holds up and does nothing. The other computers have IP addresses and subnets, but do not have gateways or DNS servers.

Does anyone have any advice on how to fix this problem?

Also, if I were to switch the office computer over to ubuntu linux, would that cause problems with the networking? Does such a switch require me to set up the broadband connection all over again?

Thank you for your help.

 

[Grentz]

I would just invest in a simple wired router depending on what your broadband connection is. Makes things much easier than using ICS.

 

[centurion]

or you could just set up a low-end computer with untangle/pfsense/smoothwall/etc... and set it up so that your machines are assigned an ip based on their mac address then any other machine that gets connected gets assigned a dynamic ip.

gives you the best of both worlds

 

[TGA]

I ran my Internet through my PC and then shared it with a switch to my other computers when a router died on me. This was on XP or maybe even 2k many years ago so I really don't remember much about it.

What I do remember involved setting the one nic up to handle the connection to my modem and you seem to have that covered. Then set the other nic up but don't remember much about the settings. After that in networking I highlighted both nic's right clicked and selected bridge connection.

That's about all I remember, not sure it will help.

I have to agree with the other people when they say get a router or setup and old pc with something like PFSense.

 

[marley1]

Get a router! Wired router should only be like 20 30 bucks

 

[SockMan!]

I played with ICS years back and all I remember is that it was a real pain; I couldn't get it to work right and it was barely configurable.

Definitely get a router or build your own. You'll be glad you did.

 

[Grentz]

I ran my Internet through my PC and then shared it with a switch to my other computers when a router died on me. This was on XP or maybe even 2k many years ago so I really don't remember much about it.

What I do remember involved setting the one nic up to handle the connection to my modem and you seem to have that covered. Then set the other nic up but don't remember much about the settings. After that in networking I highlighted both nic's right clicked and selected bridge connection.

That's about all I remember, not sure it will help.

I have to agree with the other people when they say get a router or setup and old pc with something like PFSense.

Ya, the problem with bridging is that many times it screws up the internet access for the machine you are creating the bridge on.

 

[Captain Colonoscopy]

Definitely go get yourself a router, much easier to deal with and better security. If you have a spare PC laying around then I would highly recommend using that as your gateway/router running one of the many UTM *nix distros out there such as Untangle, Astaro Home, Endian, ClarkConnect, etc.

 

[Mcot]

you need a DHCP server to assign addresses dynamically. Are you sure that the ICS features in windows starts a DHCP server? If your not sure fire up wireshark and look for DHCP packets.

 

[criccio]

In todays day and age, there is absolutely no reason not to use a dedicated router/switch/DHCP server combo device in a SOHO environment.

 

[TJohnny]

Hello everybody, this is my first post! I decided to sign up because I could't let unpunished all the good answers you got, krazyklutzykorean ;D Too bad I have to wait 24h for account approval, I am looking forward to being snob, mean and obnoxious to all those whose only mistake was trying to help someone with what they (barely) know!

PS: A part from Mcot and criccio, who (really) know what they are talking about and answered after I wrote this. Hi guyz. Criccio, sei per caso italiano come me?

Your problem is very simple indeed, krazy. No need to blindly quote the FAQ and sing with the choir you need a router (are you guys all Cisco undercover agents?). You do not need a router. You need the DHCP server a router provides, and that's software, not hardware, a software you already have btw (this was not in the FAQ...). It must have slipped their minds to tell you one of the golden rules of networking: to have a DHCP service, you need a DHCP server (don't I REALLY sound FULL of it?)

[krazyklutzykorean] ipconfig /renew holds up and does nothing.

Guess why?

[krazyklutzykorean] The other computers have IP addresses and subnets, but do not have gateways or DNS servers.

The DHCP client has a timeout after which it assigns the NIC a random IP from the automatic private IP pool (169.254.0.0/16, the IPv4 Link-Local) so that the net will mantain some IP functionality in case all the clients face the same problem, e.g. when the DHCP server is down. Of course it cannot do the same with a gateway or DNS server. Without the DHCP server telling where they are (it is its job!) the client is totally clueless.

Another little misunderstanding is about what to make automatic and what to keep static, as none of the answers seems to catch the glitch.

[krazyklutzykorean] However, now when I change the office computer's static IP to automatic, as well as the other computers, I can no longer get any internet.

This is something you don't want to do, krazy. DHCP is to be activated only on the clients (PCs, printers and such) not on the gateway (router, firewall and such). Even with DHCP the gateway needs a static IP, because DHCP negotiates IPs only on first connection. If your clients are connected to the gateway and the gateway is rebooted with DHCP active, it can possibly wake up with a new IP tossing any previously connected PC to the pre-internet era. [You actually can have the DHCP server to assign an address to the gateway too, but that must be static anyway so don't waste your time learning how to configure DHCP to do that when it is so simple and quick to do it by hand]

This of course has nothing to do with you losing your internet connection when activating DHCP, that depends on the current absence of a DHCP server listening on the net.

[krazyklutzykorean] Does anyone have any advice on how to fix this problem?

Here is your zero-cost, router-free, guaranteed-to-function (LOL), five-minute-start-to-finish, adjectivally-messed-up to-do list. You don't seem an idiot so I will spare you the "move your mouse and click exactly where I tell you" level explanation. I also will give for granted (you have a DNS server and you use ICS) that you installed a MS server OS on the gateway.

So go to the gateway, open IP config window and assign a static address. Open service configuration, change the startup type of the DHCP server to automatic, start the service and verify it is active (you can optionally disable the DHCP client service). Now you have to configure the DHCP server with mmc, a relatively simple operation you will probably be able to do by yourself but if you need help you can find the greatest level of detail here.

Then you go through each client and set the automatic IP configuration. No need to reboot the clients, just disable the NIC and reenable it. Then tell us what happened!

[krazyklutzykorean] Also, if I were to switch the office computer over to ubuntu linux, would that cause problems with the networking? Does such a switch require me to set up the broadband connection all over again?

To the second question no, the connection settings on all of the clients can be kept exactly the same. It will require a little more work on the server side, though, linux doesn't natively support windows networks (based on smb protocol, look for Samba for a linux implementation). To the first question absolutely not! Linux is a wonderful networking system, arguably inferior to windows to say the least, and with proper setup can integrate perfectly in any smb environment.

Best you can do is experimenting with a live CD edition. Load the OS on the gateway and run samba. Standard on most linux distros including ubuntu, easy to configure, works in windows server and active directory domains, samba is a piece of work. See how it integrates with your network, I am pretty sure you will find the switching from MS to freedom easier done that said. Enjoy!

TJ

 

[xdivenx]

Talk about a well thought out post...

 

[criccio]

sei per caso italiano come me?

Haha, while Riccio IS my last name, only my great grandparents spoke Italian.

 

[TJohnny]

Talk about a well thought out post...

Very kind of you, thanks.

Haha, while Riccio IS my last name, only my great grandparents spoke Italian.

Nice to meet you anyway, nobody is perfect!

 

[Captain Colonoscopy]

LOL @ TJohnny. What a first post. The reason most of us cisco under cover agents recommend a router is because most consumer routers also feature such things as a NAT/SPI firewall. Why the hell would you want to have a windows based computer directly connected to the internet? Sure ICS works, most of the time, but as someone who DOES know a thing or two about networking I find it irresponsible to not recommend a dedicated firewall appliance to protect a LAN.

 

[TJohnny]

Come on, captain, I was kidding! I am not even close to being bad as I would like I only have to clear an apparent misunderstanding. It was not me to convince krazy to connect to the internet without hardware firewall, it decided it all by himself. I just gave him the opportunity to do what he wanted at minumum cost as I always do, I like efficiency. Of course "a router is better than just ics" and a ferrari is better than just a tata, we are in the realm of obvious. But we fall down to reality as soon as we see the difference in the price tag.

Moreover, security is not an absolute criterion, that is why you do not put a $1000 armoured door to a private toilet. Most of home and office networks are of limited to null value for a hacker and it is foolish to protect them excessively. Because, for how you speak, it seems that a computer connected to internet is an completely open door, as long as it is not behind a hardware firewall and nat. Then let me tell you it is not. An updated windows system with firewall on is extremely difficult to hack, a new published exploit is normally valid only a few days before a patch is ready. While it is ofter easier to exploit installed software (rare or completely absent on servers) it is never easy to hack a machine and it must be worthwhile. There is nothing blasfemous about a small network connected to the internet without a router.

So let's make peace, cap'n. At time I like to play the villain, that's all. You called me irresponsible and that is very bad but can you say I ever mentioned?

Peace made?

TJ

 

[TGA]

LOL Tjohnny, I agree with your intention to help to get ICS working. Like I said it was along time ago that I did this and I am sure if I the need came up I could figure it out again. It is nice to be able to keep your network alive when your router fails.

But like Captain pointed out everyone is recommending a router as a long term solution due to the added security and reliability offered at what is a very low price.

I wouldn't compare having a router to owning a Ferrari though. If you can aford more then one PC to network you should be able to afford a router or have an old PC to run something like PFSense, IPCOP or the like on.

And having a basic hardware firewall really isn't overkill especially when the hardware does more then just act as a hardware firewall. It is true that most people have way more to fear from the things they allow to be run then from an outside attack. But the risk is there and the only incentive needed to try is getting control of your high speed connection to spam or participate in DoS attacks. The potential to gain banking and credit card information is just a bonus. Also we still see people here who are afraid to install a windows service pack many months after release so I never assume people are patching windows vulnerabilities.

 

[Met-AL]

ROFLMAO. This thread made my day.

Thanks to everyone, especially TJohnny.

 

[TJohnny]

LOL Tjohnny, I agree with your intention to help to get ICS working.

And I agree with everything you said in your post, you can even verify I am behind a "fascist" proxy as I call it, not even a router. The problem is that my approach to modding anything is very soft and basic. First rule, do not touch anything. Second rule, touch something only after popping and smoking. Third rule, do not touch anything!

In another thread where we talk about modded wifi antennas, my first advice is to leave the antenna as it is. Krazy has this perfectly working connection without a router and just wants to use automatic IP configuration instead of static. Why adding a router anyway? In general, why change what is working satisfactorily?

I like you style, TGA. Hope our paths will cross again soon.

TJ

 

[YeOldeStonecat]

It's not so much "locked down security" of the home network, but protecting the computers behind NAT from all the "noise" of the internet, and worms/trojans that spread around.

Through the many years working in IT, it cannot be a coincidence that whenever I have to sit down and work on a PC that is plugged directly into a broadband modem with a public IP address..that PC is rather infested. PCs behind NAT routers have far less problems. Many of those worms 'n trojans spread by themselves across the IP ranges of an ISP. Many home users don't check for windows updates every single day to help protect them. Many people also will leave the Administrator account <blank> on their home PCs. This does make the PC an open door if it's not behind NAT.

Yeah the Windows firewall can help, but it can be knocked out, so can many 3rd party software firewalls...there is some malware out there that is coded to specifically knock out some popular firewall brand services. I've seen this happen many times to PCs. With ICS running a network..that gateway PC has the red NIC on a public IP.

Moreover, security is not an absolute criterion, that is why you do not put a $1000 armoured door to a private toilet. Most of home and office networks are of limited to null value for a hacker and it is foolish to protect them excessively. Because, for how you speak, it seems that a computer connected to internet is an completely open door, as long as it is not behind a hardware firewall and nat. Then let me tell you it is not. An updated windows system with firewall on is extremely difficult to hack, a new published exploit is normally valid only a few days before a patch is ready. While it is ofter easier to exploit installed software (rare or completely absent on servers) it is never easy to hack a machine and it must be worthwhile. There is nothing blasfemous about a small network connected to the internet without a router.
/QUOTE]

 

[Captain Colonoscopy]

Wow, just wow....

 

[YeOldeStonecat]

Wow, just wow....

Morning Bea!

 

[Captain Colonoscopy]

Morning Bea!

lol, I feel strangely compelled to post pictures of something . . . but I don't want another warning . . .

 

[xphil3]

ROFLMAO. This thread made my day.

Thanks to everyone, especially TJohnny.

+1 , BUMP for humor purposes.

 

[TJohnny]

Through the many years working in IT, it cannot be a coincidence that whenever I have to sit down and work on a PC that is plugged directly into a broadband modem with a public IP address..that PC is rather infested.

It is not a coincidence, as a matter of fact, but a result depending on several factors not all related to living behind a NAT service. The following are a few things that come to my mind stimulated by your reflections.

1) Unprotected access is typical in home networking, where the type of content is unlimited and the activities laid-back, while protected access is typical at job, where the content is limited and the activities more formal. This makes protected computer appear less prone to infections.

PCs behind NAT routers have far less problems. Many of those worms 'n trojans spread by themselves across the IP ranges of an ISP.

2) PCs behind NAT routers are often behind a proxy-based firewall too (ISA and such). This arrangement is extremely effective against worms and trojans that download from the internet, especially if the proxy enforces NTLM authentication. Only a few malwares know how to do it and this dramatically reduces infectivity and damage inflicted on protected computers.

Many home users don't check for windows updates every single day to help protect them.

3) Another reason unrelated with NAT or proxying why home computers appear (and are) more vulnerable.

Many people also will leave the Administrator account <blank> on their home PCs. This does make the PC an open door if it's not behind NAT.

4) Like point 3.

Unfortunately, no NAT can keep a hacker to find out a windows password of any length as long as they can redirect your browser to a perfectly normal HTML page. It is one of the most unsecure feature of windows, it tries to authenticate passing hashes to anything, even web pages. When I have the hash it is a matter of time (from a few seconds to a couple of hours on a dual core CPU) to crack it. It may sound just incredible, but the winauth encryption algorithm is so flawed that password length is ininfluent beyond seven chars.

But of course you mean that once I have the password (or they leave a blank password) I cannot access the computer when it is hidden by NAT and you are right, but the real menace does not come from the internet, believe me. Good hackers are few and to be targeted by one of them is almost a privilege (almost!). Most of the problems come from our behaviour, Stonecat, because I never (and I mean NEVER) saw a computer with only a few safe programs installed seriously infected, no matter the kind of internet connection it had, while systems completely insulated from the net get infected very easily by freeware/shareware program installed from cd or usb.

I realize now that there is something to point out because we often speak of hackers as the same persons that write malware. They are not hackers and very seldom their programs allow to take full control of the machine as a hacker needs. Moreover, real hackers start with your clean system now and in half an hour or less they are back with what they needed. Your computer is intact (maybe just a backdoor is left open for subsequent visits) and normally you will never realize it has been compromised. The reasons for doing something different like destroying the system or infect it with malware whatsoever are very few. You do not kill the hen laying golden eggs, do you?

With ICS running a network..that gateway PC has the red NIC on a public IP.

Sorry, my english is very far from perfection, you mean the gateway with ICS is showing a red flag attracting hackers? Because this would not be true. There are just a few exploits for ICS and all related to Denial of Service, a low-level security issue, and of course you know that DoS can be achieved by simply flooding a server with packets of any nature, as long as the attacker's connection is just as fast or faster than the server's. If the purpose is reducing (or zeroing) the band, any kind of datagram will do it. It is like dialling someone's number all the time (packet flooding). Even if the victim does not answer (server is firewalled) it is pretty obvious that they will not be able to use the telephone anymore for incoming calls (DoS). Of course a couple of years ago the situation was much different and ICS could be knocked down together with windows firewall by a single crafted DNS request... Ah, the Golden Age of hacking!

Another thing just a few seem to realize when they say ICS will never achieve the same level of security of NAT is that... ICS is a NAT service. And a pretty good one, perfectly integrated with the OS, with a rapid security update turnaround and free. Ok, ICS is by Microsoft and someone among you has a signature that goes (more or less): "The day that Microsoft makes a product that doesn't suck, they make a vacuum-cleaner."

Very funny, but I do not agree. WXP Pro SP3, for example, is a wonderful piece of software, nobody will ever make me change my mind on that. Is it weak on security? *nix is arguably stronger. Is it costly? Good things are never cheap. Is it horribly overbloated and resource-hungry? Yes, it definitely is!

I hope you did not take anything I wrote as a criticism, all the opposite. I like your style, Stonecat, you make me fell like talking and that is why I wrote this dreadful wall-of-text. Sorry everybody!

TJ

 

[YeOldeStonecat]

2) PCs behind NAT routers are often behind a proxy-based firewall too (ISA and such).

When I'm saying NAT...I'm lumping things up as meaning PCs are behind a plain NAT router. Like any old Linksys/Netgear/DLink, etc....home grade routers, and on up to SOHO, etc. ISA is more for the larger enterprise networks, and a few SMB networks behind SBS Premium. Relatively small percentage of networks out there. Hardly any home users run on ISA...outside of us tech guys with subscriptions to MS Action Pack or MSDN.

Lemme illustrate what I'm usually referring to....when I refer to the protection of NAT.

Take a new computer, lets say...with Windows XP on it. Say for example the image comes with XP SP2, you unbuckle it....and do nothing else. Set it up on a cable modem, so the PC has a public IP address. Let it sit there, running at nothing but desktop, for a week or so.

Take another identical computer, unbuckle it, but keep it behind a little old Linksys home grade router....let it run for a week or so....doing nothing but running at desktop.

Come back after a week Chances are pretty good, IMO, that the PC that was not behind the router will have picked up something. More than likely at the very least, some exploit that utilized DCOM/RPC would have hit it. And I'd wager a truckload of Guinness that the PC behind the little Linksys router is running perfectly healthy with zero issues.

Referring to the "Red NIC"...I'm referring to the WAN NIC..the one that gets the outside IP address. To me, it's just as dangerous for a PC as the example above with the PC directly on the cable modem.

To me the big issue of having a Windows PC directly on a public IP address is the exposure to the self spreading worms out there, which spread around the IP ranges of ISPs looking for the exposed service that it exploits.

Prime example...the Blaster worm. Computers that were plugged right into a cable modem or DSL modem with a public IP address were almost guaranteed to catch it when it spread, getting that fun error "This shutdown was initiated by NT AUTHORITY\SYSTEM" as soon as you logged on. Versus...computers behind a NAT router, they couldn't be touched by the self spreading worm searching the IP ranges of the ISP. The routers NAT kept it from being able to touch the OS of any PC behind it...unless someone DMZ'd the computer or something like that.

When that Blaster worm came out years ago...I was working for a larger place that had a service center...and we did house calls too. After a while, it became apparent...the waves and waves of computers hit by that worm were ones on the old DSL bridged modems, and cable connections.

It was back then when the Blaster worm came out...that I made it my rule..."Any computer that I am to support....will have to be behind a NAT router. If someone doesn't want a NAT router, don't call me for computer help.

Now, Can you make a Windows computer fairly secure without a NAT router, sitting on a public IP? Yes, you can. I've done it quite a few times, building public gaming servers that sat co-lo'd in data centers and ISPs without being behind NAT. However, 99.9% of people out there can't or won't take the steps to do it, or maintain that.

 

[krazyklutzykorean]

Well thanks to everyone for giving all of your advice; I definitely was not expecting this much response. I kind of got lost in all of the acronyms and whatnot as the thread went on, and my competence with this kind of stuff is somewhat sub-par, so I have ordered a router in hopes that it will fix everything. As soon as it gets in I will let you know how it works.

Thank you all again

 

[krazyklutzykorean]

I installed my router today and everything works great, thanks everyone.