AVS Forum banner

Status
Not open for further replies.
1 - 12 of 12 Posts

·
Registered
Joined
·
848 Posts
Discussion Starter #1
Where is the best place to ask why each of my computers attached to the local side of my SMC Barricade firewall can ping the other, but neither computer shows up in the other's Entire Network in Windows Explorer?


I feel guilty about posing a non-HT question in this group, so is there a better forum available?


Thanks,

-yogaman
 

·
Registered
Joined
·
4,182 Posts
Yogaman-


I'm sure you can find many places with better advice on Windows networking (like www.wown.com), but my first thing to try would be to make sure you turned on 'file and printer sharing' on both computers, and make sure you shared at least one hard drive on each computer after you turned sharing on. Also, be sure you have both computers on the same 'workgroup' name.


I could tell you much more, but those should get you started. Good luck-



------------------

Chris
 

·
Registered
Joined
·
848 Posts
Discussion Starter #3
Thanks for the pointer, Chris.


I have it sort of working now. ZoneAlarm was interfering apparently. Now I can see one computer from the other, but not vice versa yet.


(I just shut ZoneAlarm off. Is there a way to explain to ZoneAlarm that I want to allow local networking to work?)


Still not obvious, but if it were, I'd fix it, right?


Again, I do feel guilty about taking space for non-HT questions, but thanks for all advice.


-yogaman


[This message has been edited by yogaman (edited 06-29-2001).]
 

·
Registered
Joined
·
34 Posts
I would suggest installing the NetBEUI protocol and bind NetBIOS to it rather than TCP/IP. By unbinding NetBIOS from TCP/IP, you are using TCP/IP just for Internet access, and NetBEUI for your LAN file and print sharing.


I am not familiar with Zone Alarm, but I would assume it is only watching for TCP/IP traffic. Because NetBEUI is not a routable protocol, you should be a little safer too, BUT because NetBEUI is not a routable protocol, the two computers must be in the same broadcast domain (sounds like they are.)


Hope this helps.

 

·
Registered
Joined
·
4 Posts
Even if this message not belongs to this group, I can also try to help you...


1) You have to setup every computer on your lan to act as a client and a server for fil and print service. Also, this is not an absolute to be in the same domain, but it's preferable to simplify things...

2) If you just install TCP/IP for the protocol, NetBIOS will bind itself over TCP/IP. The communication will be a little bit slower, but also, you will not have a lot of broadcast, like NetBEUI does.

3) I don't know this firewall product, but maybe you'll have to permit communications on TCP port 137, 138 and 139 on your lan side. 139 is the main port, but, without knowing why, 137 and 138 are sometime also used.


Have a nice day!
 

·
Registered
Joined
·
1,832 Posts
I've found that to protect a network it's best to use a separate firewall. ZoneAlarm is a great product for a single PC but once you have a network it starts to cause some problems as you've described.

I'm using Gnatbox on some old hardware (75Mhz Pentium - though a 486 is fine) and it is usually the recommended firewall in comparison tests. You can download it for free ( www.gnatbox.com ) as a demo (limited to 5 internal addresses). It requires at least a 486 system with a floppy and video (no CDROM or hard drive). If you're interested and need some help e-mail me and I'll be glad to assist - though I am going on vacation very early Saturday and won't be back for 2 weeks so any help may have to wait until then.
 

·
Registered
Joined
·
4,310 Posts
Hi Yogaman:


___ZoneAlram Pro protects my main HTPC with ZoneAlarm std. protecting the kid’s HTPC’s on the network. For ICS connectivity when using ZoneAlarm std., I drop the Internet Security settings in the Security settings area to medium so the kids have access to the net as well. I haven’t seen nor heard of any problems/trouble from the kids yet and the 19 yr. old in particular uses some pretty obscure net SW without a problem so far … (now that I said that, I can expect a “Dad, my new ftp, IRC, or IM SW isn’t working properly …†http://www.avsforum.com/ubb/wink.gif )


___AS for being a bit OT, you do need SW and driver updates for your HTPC, correct http://www.avsforum.com/ubb/wink.gif


___Good Luck


___Wayne R. Gerdes

___Hunt Club Farms Landscaping Ltd.

___ [email protected]



------------------

New E-Mail address for the time being ... [email protected]
 

·
Registered
Joined
·
4,182 Posts
Yogaman-


Since you have a hardware firewall/router, you should be pretty secure even if you weren't running ZoneAlarm, but here is another tip I used to increase security on my network: Add the IPX/SPX protocol to each of your computers, and then UNCHECK 'file and printer sharing' and 'client for MS networks' from the 'bindings' section of each 'TCP/IP>network adapter' item in your network properties. This way, each computer's Internet data runs on TCP/IP (as it has to), and your internal file-sharing is not even visible to the 'outside world'. This and many other good ideas are from ShieldsUp! at www.grc.com. It works fine here on a mixed wired/wireless network, and each computer sees every other one just fine (they're all running Windows ME).



------------------

Chris
 

·
Registered
Joined
·
326 Posts
With a routed network using a non-routable IP subnet (e.g. 192.168.0.x), the non-addressable nature of the network is all the security you need. Unless you are forwarding some ports back into your internal network, no one can get to your machines. There's no reason to add other protocols, etc. and make for a cludgy network. Just a note from the Minimalist Camp...


-will


------------------


No man has enough luck to save himself from his fellow man

--Combustible Edison
 

·
Registered
Joined
·
848 Posts
Discussion Starter #10
Hepcat:


Your non-routable IP addresses solution seems better than adding IPX/SPX. Can you please confirm that the default subnet IP addresses from the SMC Barricade are non-routable? The Barricade uses 192.168.123.x by default. So if I choose 192.168.123.20 and 192.168.123.203 for my LAN connections, am I correct in assuming that these computers cannot be reached from outside the firewall?


The Barricade performs translation for the static WAN IP address assigned by my ISP. But, as I dimly understand it, it prevents any external machine from finding out that 192.168.123.20 even exists.


What if I want to dial in from work to set up a recording by my HiPix (after the recording API is published)? Is there a way to do this without significantly compromising the LAN-connected PCs' security?


Is there a URL for the RFC that lists all the non-routable local IP addresses? Or with a firewall like this Barricade, are *all* IP addresses non-routable? (I think here we are using "non-routable" to mean not publicly routable. Yes?)


Sorry for more dumb questions, but it's clear the expertise is available and interested in educating. I thank you for that interest.


-yogaman
 

·
Registered
Joined
·
848 Posts
Discussion Starter #11
It's probably bad etiquette to answer my own post, but WWW.GRC.COM did such a good job on the first part that I thought it's worth quoting here to save others the effort:
Quote:
In a NAT-based system, a single IP address represents the NAT router . . . behind which can lie an entire private network of machines! The machines on this private network (behind the NAT router) use IP addresses that have been set aside for just this purpose. They generally start with 192.168.x.x or 10.x.x.x. These address ranges are NEVER used by regular machines on the Internet so that any machines on the private network can know that they're talking amongst themselves.


When one of the machines behind the NAT router needs to contact resources on the public Internet, the request is routed through the NAT router (since that's what connects the machines to the Internet). The NAT router reformats the outgoing data packet so that it appears to originate from IT, instead of the actual originating machine, and sends it on its way. Then the data returns the process is reversed and the data packet is sent to the originating machine on the private network. Thus, when viewed from the perspective of the external public Internet, ALL of the machines behind the NAT router appear to be a single machine with that one (NAT router) IP address.


This is useful for two main reasons:


First, it allows many machines to share a single IP address. Any cable modem or DSL user with a single IP address can use NAT technology to "multiplex" their single IP across as many machines as they like! So, rather than paying your connection provider for additional IP's, you can be running all the machines you want for no additional money!


Secondly, NAT very effectively HIDES all of your machines from the prying eyes of the Internet! Anyone scanning across your IP address will ONLY be able to "see" the NAT router! (Which is generally much more secure than the average PC.) So, they won't actually be touching any of your machines located BEHIND the router! Moreover, none of the software running inside your PC can "give out" your network's public IP address because it is completely unknown to your machines! Only the NAT router knows the public IP of your network, your machines only know their private "behind the router" IP's. So Internet client programs, like your web browser which send out the machine's IP address with every request, will be completely fooled and foiled when they're running behind a NAT router.


Where do you get NAT routing?


The second edition of Windows 98 provides options for built-in NAT routing in the form of its ICS (Internet Connection Sharing). I don't like this solution, though, because it requires that the ICS machine always be running to provide NAT services for the rest of the network.


My absolute favorite solution for personal and small office NAT routing is the new Linksys "Etherfast Cable/DSL Router". It is now available in TWO versions, with and without a built-in high-performance 4-port 10/100 switch. With a street price in the neighborhood of just $105 or $155, this feature packed router and (optional) four-port hub, provides expandable connectivity for up to 253 machines and even offers a rudimentary packet filtering firewall — which, for example, can easily be told to block ports 137-139 and completely prevent all NetBIOS file sharing insecurity!
-yogaman
 

·
Registered
Joined
·
848 Posts
Discussion Starter #12
Wow. AVS people are truly great.


I'm happy to report that my problem is gone!


Thanks for the suggestions, folks. The key really was to shut down ZoneAlarm, then reboot *both* computers. (The one that never had ZA was the one that couldn't see the one from which ZA had to be removed.) I didn't think of rebooting the "innocent" computer until this morning.


For the record, I guess I need to confess that the ping worked from "innocent" to ZA computer when I had briefly disabled ZA for other reasons (trouble-shooting real-time performance in Scenalyzer Live recording). So, my problem report was a little polluted. When ZA was re-activated by subsequently rebooting, the PC it was on couldn't even see itself on the LAN.


I may try GnatBox, but for now, I'll just run without a firewall since I have the SMC Barricade router doing first line of defense. I was using ZoneAlarm to detect/prevent whatever it's called when you get a virus that tries to send information back to the internet. I'm pretty careful (but one can never be too careful!) about downloading, so it's not a major concern for a little while.


This is great. Now I can expect that the WebPlayer I've ordered will just join right in. I envision it as being the TV-Guide machine in the HT. Anybody else doing something like that? Anybody using one PC to control the DVD player on a different PC? Hmm. Sounds like a new thread.


And, I heartily endorse the suggestion to put passwords on all shared files. I further recommend that the file-sharing password be something you wouldn't mind telling to someone who might be helping you troubleshoot someday. That is, don't make it the same password you'd use for financial information at your on-line broker, for example. You never know...


Thanks to all.


-yogaman
 
1 - 12 of 12 Posts
Status
Not open for further replies.
Top