• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

am I heading for trouble?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Networking

View previous topic :: View next topic  
Author Message
dick_angelia
Just Arrived
Just Arrived


Joined: 06 Nov 2004
Posts: 0
Location: RP

Offline

PostPosted: Wed May 04, 2005 5:26 pm    Post subject: am I heading for trouble? Reply with quote

My network of 5 computers (3 Win98, 2 XP's) peer to peer network with IP addresses of 169.254.x.x were doing ok. DHCP is enabled, the server of which I don't know which. (I did the networking using the Network Wizard of XP)

Someone messed around with the IP addresses in an effort to hook up a security camera system. It did not work. The guy needs to have some more knowledge with regards to hooking up camera systems. So I just wanted my SETTINGS BACK. The problem is, the IP addresses are of different groups already. 2 machines retained the 169.254.x.x and they communicate ok. The others are 10.0.x.x and they could share files. No matter how many times I rerun the network wizard, the addresses won't just come to be compatible with each other. So I manually set the IP addresses of the 3 machines (2 98's and 1 XP). Following the one on the 169's machines, I put the subnet at 255.255.0.0. They're all ok now.

My questions are:

1. Am I heading for trouble because some of my machines have static while others have dynamic IP addresses?

2. What is the advantage of a dynamic over a static IP address system and vice versa? Confused
Back to top
View user's profile Send private message
larsmhansen
Trusted SF Member
Trusted SF Member


Joined: 11 Jan 2003
Posts: 0
Location: Boston, MA, USA

Offline

PostPosted: Wed May 04, 2005 6:02 pm    Post subject: Reply with quote

You only have two options:
1) Set them all at dynamic settings, or
2) Set them all at static settings.

#1 is probably easier, and you don't even need to use the wizard. Just go to the network settings in the control panel, and change the settings from static to dynamic.

BUT, if that camera is a network camera, it may not work with the automatic IP assignment scheme that your computers are using, and in that case, you'll need to change all your computers to static IP addresses.
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
njan
Trusted SF Member
Trusted SF Member


Joined: 02 May 2005
Posts: 9
Location: Scotland, UK

Offline

PostPosted: Wed May 04, 2005 6:11 pm    Post subject: Reply with quote

Speaking in general

There are really two types of automatically allocated addresses, each of which is used in a different situation.

DHCP, which is commonly used on large networks, is used to specifically allocate addresses to computers in order to centralise configuration - ie. I plug my laptop into a network with DHCP, and the DHCP server gives my laptop an IP address, subnet mask, and other information required to talk to the network or the internet, such as gateways, DNS servers, etc.

The addresses you're using are automagically assigned by Windows when a) there is no static address allocated for a specific network adapter, and b) no DHCP server can be found - windows randomly picks an address starting with 169.254, and thusly disconnected windows computers on an unplugged segment of a network or on a small network with no infrastructure can talk to each other with, in theory, zero configuration.

If you have an internet connection, there is a disadvantage here in that none of the computers aside the one plugged into your modem will have any internet access - but if all you use your computers for is sharing files, this may be a satisfactory solution for you, beacuse the machines will maintain a list of other computers they see on the network using something called 'WINS', which will allow you to talk to another computer by name on the network by determining the IP address from WINS.

From a networking perspective, this behaviour in windows (automagically allocating itself IP addresses) really isn't good - it's basically a hack allowing computers which have been plugged in together by non-technical users to talk to each other with zero configuration; this is very rarely desirable in an organised network, as usually if there's no DHCP server and no static address set, something is broken. This method of networking configuration is also unique to microsoft operating systems, and will not work (automatically) with other Operating Systems, or embedded devices such as your security camera. (See below for more information on this)

If you have an internet connection on one of your PCs, you can enable DHCP, and in doing so give internet access to the rest of your PCs using this - there is a good howto for ICS available online at http://www.practicallynetworked.com/sharing/ics/ics.htm as well as several threads on SFDC recently about this topic.

Strictly speaking, there's nothing wrong with the way that you have your network configured - although you would be well advised to be consistent in your allocation of network addresses (ie. all static or all dynamic) for sanity's sake, and most IT Pros and hackers will squirm at the thought of using the autoallocated addresses windows creates for itself.

The one advantage aside sheer laziness which autoallocated address have are that you won't have to change anything in order to install a DHCP server - all of your network adapters are already waiting for a DHCP server to tell them how to configure themselves, but as there is no DHCP server, they autoassign themselves addresses. In the event that you did install a DHCP server, either by setting up ICS or installing a router, they should all pickup addresses straight away or after a reboot, and you'll have very painlessly made the transition to a different IP range, centrally configured.

If you don't want to enable ICS, you can simply use static addresses - if you give all of your machines IP addresses in the same netblock, they will all be able to talk to each other. Setting up static addressing is good for several reasons:

a) it will ensure you have a network configuration which won't change
b) it gives you a lot of control over your network and ensures you know exactly where everything is.
c) you can allocate static addresses to your camera, which will both be contactable over the network and will not change address.

There are three address spaces for private network addresses - the most commonly used (which ICS will allocate address from via DHCP) is the 192.168.0.x space (strictly speaking, this is a Class B network - ie. the private address space is 192.168.x.x, but windows only uses the 192.168.0.x subnet), the 172.16.x.x address space (another class B network), and the 10.x.x.x address space (a class A network). Personally, I'm a 10.x fan, but this is really more due to aesthetics than anything else!

Specific to your camera

With regard to your network camera, as the autoalloation behaviour is unique to windows, the camera will*not* give itself an IP address automatically, which will mean it cannot talk to the rest of the network. Your two options for the camera, as larmshansen points out, are either to set a static address for it or set every machine dynamically (the camera should pick up an address).

What I don't think that larmshansen has realised is that (I'm guessing) you don't have a DHCP server - only a lot of clients which are listening for DHCP (which is why your workstations have autoallocated themselves 169 IP addresses, something which will not happen in the presence of a DHCP server). I may be wrong on this point - if I am, your DHCP server is broken Smile

As a camera is, technically speaking, a server, a static address is healthier as the address will not change (which a dynamically allocated address might). As the camera may not support WINS (and therefore may not be contactable via hostname), this is a distinct advantage, as otherwise you may be forced to guess the IP or reconfigure the camera each time it changes IP address.

If you want your camera to work, static addressing is probably the way to go. Although you can set a static address for it which is in the 169.254 range, you would be far better off simply either statically setting addresses for your entire network or setting up a DHCP server, as if you're going to change IP settings you may as well move away from the autoallocated addresses and their address range.

Hope that helps! Shout if you need more help, or want clarification. Smile


Last edited by njan on Wed May 04, 2005 6:23 pm; edited 2 times in total
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Wed May 04, 2005 6:15 pm    Post subject: Re: am I heading for trouble? Reply with quote

dick_angelia wrote:


My questions are:

1. Am I heading for trouble because some of my machines have static while others have dynamic IP addresses?

2. What is the advantage of a dynamic over a static IP address system and vice versa? Confused


In answer to your first question, no. You should be OK mixing static and dynamic IP address, although the IP address' you are using 169.x.x.x are not routable, you may want to switch to a 192.x.x.x range.

The benefits of using DHCP is that it makes network configuration much easier. Static IP's are needed if you have a service on the PC that needs to be consistantly accessed by your other PC's like a file server.
Back to top
View user's profile Send private message
pluggo
Just Arrived
Just Arrived


Joined: 04 May 2005
Posts: 0


Offline

PostPosted: Wed May 04, 2005 6:20 pm    Post subject: Reply with quote

169.* is an error IP address. For some reason, that machine is not pulling an IP address via DHCP.

From RFC1918:
<snip>
3. Private Address Space

The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
</snip>

These are the subnets your DHCP server should be assigning addresses from, at least if you're behind a firewall. Most home networks have a configuration like this: Router connected to DSL/Cable modem, machines connected to router via cables or wireless, machines inside assigned private IP's, and router having a public IP and a private IP (to communicate with both sides). Your internal machines should not have global (Internet) IP addresses; they should all be in 10.* or one of the other addresses.

As for dynamic and static IP addresses, it really doesn't matter much. Static means you need to assign an IP to each machine manually. Dynamic means it pulls one via DHCP. If you're not running DHCP (and it sounds like you're not), that explains the error (169.254.*) IP's: it's failing to pull an address because there is no server to give it an address. You need to change those machines to static IP's on the same subnet as the other machines. You probably *are* heading for trouble in this respect if you're not mixing both with a specific purpose in mind (I do this on my LAN for my web server so the router knows where to forward web server requests).

So, if I'm guessing correctly, you need to change your dynamically assigned addresses to static (but unique) ones in the same subnet. That should fix just about everything. Or just reinstall Windows, that always fixes anything. Very Happy
Back to top
View user's profile Send private message AIM Address Yahoo Messenger
monkranter
Just Arrived
Just Arrived


Joined: 17 Mar 2005
Posts: 0
Location: Texas, USA

Offline

PostPosted: Wed May 04, 2005 6:30 pm    Post subject: Reply with quote

Let's first answer you questions and then go into a suggested solution.

Quote:
1. Am I heading for trouble because some of my machines have static while others have dynamic IP addresses?


Ordinarily, the answer to this question would be no. Typically a DHCP scope would be used to provide dynamic IP addresses to workstations, while servers would be statically assigned addresses. However, it doesn't appear that you have a DHCP server on your network. The 169.254.x.x subnet that you mention is assigned automatically by Windows when no DHCP server is present. In this instance, you run the risk of duplicate addressing on the network. So I would say that you are heading for trouble. -- There is hope, though.

Quote:
2. What is the advantage of a dynamic over a static IP address system and vice versa?


The largest advantage for dynamic addressing over static would have to be less administrative burden. It is much easier to configure a DHCP scope on a server and have all the workstation get their addresses from it, than to go to each individual machine and assign addresses. In a large environment it is almost impossible to keep track of statically assigned addresses on workstations. Servers, on the other hand, typically have a job function that requires other devices on the network to know how to reach them at all times. By statically assigning the addresses to servers, there is less unnecessary network chatter.

Now for my suggested solution.

Since you don't have any devices on you network capable of managing a DHCP scope that I am aware, (someone please correct me if I am wrong, but I don't believe you can setup a DHCP server on an XP machine) I think that you would be better off statically assigning the addresses on your workstations. This way you have better control over the addressing. Plus in a small environment such as yours, you are not really looking at lot of work managing those addresses. I would change the subnet to something in the 192.168.x.x range and drop the mask to at least 255.255.255.0.

I hope this helps.

[edit]It took me too long to write this post. It looks like my points were already covered in previous posts.[/edit]


Last edited by monkranter on Wed May 04, 2005 6:32 pm; edited 1 time in total
Back to top
View user's profile Send private message
njan
Trusted SF Member
Trusted SF Member


Joined: 02 May 2005
Posts: 9
Location: Scotland, UK

Offline

PostPosted: Wed May 04, 2005 6:31 pm    Post subject: Reply with quote

Quote:
169.* is an error IP address. For some reason, that machine is not pulling an IP address via DHCP.


Yes, although it's important to note that it's not an error IP address, it's an autoallocated IP address used to allow computers on a network with no static addressing or DHCP Server around to intercommunicate - it could be the case that this was (as in this case, actually) at least partially desired behaviour, which doesn't make it an error IP address. See my post above Smile

Not bad, just different, not bad, just different.. ahem Wink

Quote:
In answer to your first question, no. You should be OK mixing static and dynamic IP address, although the IP address' you are using 169.x.x.x are not routable, you may want to switch to a 192.x.x.x range.


Be careful! This isn't quite true!

a) with autoallocated IP addresses in the 169 range (don't call them dynamic, as this makes distinguishing between windows's automagically allocated addresses and DHCP addresses difficult), you can pick a static address in the 169.254.x.x address range and probably get away with it (I'm fairly sure that another windows machine looking for an address will sidestep an address which is already in use),

However..

b) with a dynamic address allocated via DHCP, you can not do this (not sure whether you were saying you could or not - but your post might make people assume that you could, and I want to clear up any confusion pre-emptively) - if you pick a static address in a dynamic address space (unless you configure your own DHCP server and ensure that a specific address will not be allocated), you will have an IP address collision when the DHCP server allocates an address which is already in use statically to another workstation, causing one or both machines to lose connectivity.

[edit]noticed this point an hour or two later and didn't want to doublepost[/edit]:

Quote:
someone please correct me if I am wrong, but I don't believe you can setup a DHCP server on an XP machine


Internet Connection Sharing! I'm not wanting to sound perfunctory, but I did mention this in my post above. Smile... ICS would really be the perfect solution for a network this small, unless the OP feels like buying/setting up a SOHO router or installing IpCop on an old machine.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
njan
Trusted SF Member
Trusted SF Member


Joined: 02 May 2005
Posts: 9
Location: Scotland, UK

Offline

PostPosted: Wed May 04, 2005 8:18 pm    Post subject: Reply with quote

Quote:
the IP address' you are using 169.x.x.x are not routable, you may want to switch to a 192.x.x.x range.


Just noticed this.. what exactly do you mean? 169.x.x.x and 192.168.x.x are both non-routable blocks, the only difference is that 169.x.x.x are reserved for "allocated for communication between hosts on a single link", and 192.168.x.x are reserved for private networks - you could setup a NAT gateway to connect to routeable IP addresses in either case, in order to have connectivity.

My fault for leaping before looking, apparantly; some of my snide comments about Windows's autoallocation of 169.254 addresses are unwarranted, as this address range is explicitly labeled for this use in an rfc, which makes it less a case of Microsoft breaking other things as Microsoft implementing a feature no-one else bothers with. This notwithstanding, most of the commentary above still applies.

Quote:

169.254.0.0/16 - This is the "link local" block. It is allocated for
communication between hosts on a single link. Hosts obtain these
addresses by auto-configuration, such as when a DHCP server may not
be found.


http://www.faqs.org/rfcs/rfc3330.html
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Wed May 04, 2005 8:29 pm    Post subject: Reply with quote

njan wrote:

Just noticed this.. what exactly do you mean? 169.x.x.x and 192.168.x.x are both non-routable blocks, the only difference is that 169.x.x.x are reserved for "allocated for communication between hosts on a single link", and 192.168.x.x are reserved for private networks - you could setup a NAT gateway to connect to routeable IP addresses in either case, in order to have connectivity.


I'm sorry & thanks for pointing that out. What I ment to say is that using a 169.x.x.x range will not allow any data to be routed to other computers on the LAN. Using a 192.x.x.x will allow you to route information on your internal LAN although this would not be a publicly routable address.

Quote:
you could setup a NAT gateway to connect to routeable IP addresses in either case, in order to have connectivity.


This is news to me, I did not think you could get information to route between two computers using a 169.x.x.x IP. I have not done extensive testing but I have never been able to get data to route between PC's that are on this range. Although even if you could I believe that it would be better to use a 192.x.x.x range as this is (or 172.x.x.x or 10.x.x.x) the standard for private addressing.

~Ryan
Back to top
View user's profile Send private message
njan
Trusted SF Member
Trusted SF Member


Joined: 02 May 2005
Posts: 9
Location: Scotland, UK

Offline

PostPosted: Wed May 04, 2005 8:49 pm    Post subject: Reply with quote

Quote:
I'm sorry & thanks for pointing that out.


No worries. Smile

Quote:
What I ment to say is that using a 169.x.x.x range will not allow any data to be routed to other computers on the LAN. Using a 192.x.x.x will allow you to route information on your internal LAN although this would not be a publicly routable address.


Yup.

Quote:
This is news to me, I did not think you could get information to route between two computers using a 169.x.x.x IP.


Aside from addresses which have specific purposes which are important to a machine's connectivity (such as the entire 127.0.0.0/8 block), you can use just about any (valid) ipv4 address to route traffic between hosts - including public addresses on a private lan. The same applies to services on port numbers - port 0 is the only unusable port in most instances (which is sometimes used in unix/unix-like systems to let the system automatically assign a port, is also sometimes referred to as one of the sub-1024 reserved ports in networking manuals, and is unroutable across most of the internet, mostly because routers are based on OS kernels which deal with port 0 in the manner specified above).

Although the 169.254 range has a special purpose, there's nothing inherent in a machine's IP stack which should prevent routing between these addresses - in fact, this range is specifically used for communication between machines when they're plugged into an unconfigured network segment, as per the RFC I linked to Smile

Quote:
I have not done extensive testing but I have never been able to get data to route between PC's that are on this range


Whether it works or not is another matter; I've never had data routing between machines with addresses in this range, but that's partly because a) when I do have machines on this range, I have no idea where they are, and b) when I do have machines on this range, my reaction isn't to see if they can ping each other, it's to establish why my network's broken to the point at which Windows feels the need to start doing this Very Happy

Quote:
lthough even if you could I believe that it would be better to use a 192.x.x.x range as this is (or 172.x.x.x or 10.x.x.x) the standard for private addressing.


Definitely. Wink
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Wed May 04, 2005 9:56 pm    Post subject: Reply with quote

njan wrote:

Although the 169.254 range has a special purpose, there's nothing inherent in a machine's IP stack which should prevent routing between these addresses - in fact, this range is specifically used for communication between machines when they're plugged into an unconfigured network segment, as per the RFC I linked to Smile


It's interesting because now that I think about it, it makes perfect sense there is no reason it would not work. Like you, as soon as I see a 169 range I think that something is broken and start troubleshooting my network. Thanks for enlightening me. Very Happy
Back to top
View user's profile Send private message
dick_angelia
Just Arrived
Just Arrived


Joined: 06 Nov 2004
Posts: 0
Location: RP

Offline

PostPosted: Thu May 05, 2005 10:28 am    Post subject: Reply with quote

Thank you guys for your replies. I got more than what I asked for.

Regarding statically setting the network in the the 192 range, that was exactly what the guy did. I told him to let my system WORK AGAIN as the machines don't communicate with each other then after HE touched them. So he went on and statically assigned the IP addresses from 192.168.1.10 to 192.168.1.14 subnet 255.255.255.0. Machines could ping but folders won't share and my SQL based program won't run properly as clients could not communicate with the assigned SQL server which is one of the XP's. So I did what I did as shown in the first post. Probably what I will do now is to take note of the IP addresses of the 2 dynamically configured NIC's and then change them to static and copy THE SAME present addresses. what do you think? Smile

I have no explanation why the way he did it didn't work. It looks like what he did is exactly what you guys are saying here! Confused
Back to top
View user's profile Send private message
njan
Trusted SF Member
Trusted SF Member


Joined: 02 May 2005
Posts: 9
Location: Scotland, UK

Offline

PostPosted: Thu May 05, 2005 10:42 am    Post subject: Reply with quote

Quote:
Machines could ping but folders won't share and my SQL based program won't run properly as clients could not communicate with the assigned SQL server which is one of the XP's


Aha! I think we'd all assumed the machines just wouldn't talk - if ping worked, you had connectivity (obviously), so probably this wasn't a connectivity issue as such. Very Happy

Filesharing is slightly harder to figure out, as it could be a number of issues, but were the machines rebooted? It's possible that, for instance, the machines weren't rebooted and they were still using the old IP ranges to attempt to connect to each other (or that you were using a method of accessing them which used the old IP ranges irrespective, such as having added these PCs to my network places).

Using windows filesharing, if all else fails and machines don't see each other on the same workgroup/domain, you can always access a machine directly by typing \\ip.ad.dr.ess into the folder bar in explorer (or \\ip.ad.dr.ess\sharename). As long as you have connectivity, this will work 99.9% of the time (and either use your cached logon information or prompt for a username/password)

In the case of SQL, if this is a web-based application, you will most definitely have to change your configuration - as applications generally use TCP/IP to connect to a SQL Server, unless your SQL Server is on the same machine as the application (in which case it's prudent to use localhost or 127.0.0.1 to connect to the SQL server and disallow non-localhost access), you will have to reconfigure your application to point to the same place. It sounds like you have clients remotely accessing the SQL server, so this will definitely be the problem - check the configuration for your client application and see if you can figure out where it stores the SQL server's information. If you do this and reconfigure them, SQL server should work.

Bearing this in mind, if you can figure out filesharing and reconfigure SQL, setting static addresses is probably the way to go if you're not enamoured with the idea of Internet Connection Sharing handing out dynamic addresses. You could assign static addresses in the 169.254.x.x range, but it wouldn't, strictly speaking, be a correct use of the addresses, and although it would work, technically, I'd be far more comfortable using and address range designed for this, because if there's real no reason not to, really - both SQL and filesharing *should* work in a different IP address range. Smile
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Networking All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register