XP Pro does not map Computer Names to Network IP addresses Why?

[Dennis]

I have a small number of laptops and desktops on a network.

The desktop has XP Pro and the laptop has XP Home.

The Laptop computer name is MyLaptop and the laptop drive name is LaptopC. The
laptop c drive is shared. The linksys router assigns the laptop the address
192.168.1.50.

I can view the files on the laptop by entering \\192.168.1.50\LaptopC . However
I can't view the files using \\MyLaptop\LaptopC which means XP pro is not
mapping the computer names on the network to the router assigned IP addresses.

The router sometimes assigns different IP's to the computers on the network when
they power up.

How can I get XP Pro to automatically map and recognize the computer names on
the network to their IP addresses?

Thanks for any help with this problem.

 

[Chuck]

I have a small number of laptops and desktops on a network.

The desktop has XP Pro and the laptop has XP Home.

The Laptop computer name is MyLaptop and the laptop drive name is LaptopC. The
laptop c drive is shared. The linksys router assigns the laptop the address
192.168.1.50.

I can view the files on the laptop by entering \\192.168.1.50\LaptopC . However
I can't view the files using \\MyLaptop\LaptopC which means XP pro is not
mapping the computer names on the network to the router assigned IP addresses.

The router sometimes assigns different IP's to the computers on the network when
they power up.

How can I get XP Pro to automatically map and recognize the computer names on
the network to their IP addresses?

Thanks for any help with this problem.

Dennis,

Do you maybe have an address resolution problem?
<http://nitecruzr.blogspot.com/2005/05/address-resolution-on-lan.html>

Also, browser conflicts can cause similar symptoms.
<http://nitecruzr.blogspot.com/2005/05/browstat-utility-from-microsoft.html>

Possibly firewall problems.
<http://nitecruzr.blogspot.com/2005/05/your-personal-firewall-can-either-help.html>

If nothing else, see if any points in here give you any insight.
<http://nitecruzr.blogspot.com/2005/05/troubleshooting-network-neighborhood.html>

 

[Dennis]

Do you maybe have an address resolution problem?
<http://nitecruzr.blogspot.com/2005/05/address-resolution-on-lan.html>

Also, browser conflicts can cause similar symptoms.
<http://nitecruzr.blogspot.com/2005/05/browstat-utility-from-microsoft.html>

Possibly firewall problems.
<http://nitecruzr.blogspot.com/2005/05/your-personal-firewall-can-either-help.html>

If nothing else, see if any points in here give you any insight.
<http://nitecruzr.blogspot.com/2005/05/troubleshooting-network-neighborhood.html>

Thanks Chuck the problem seems to be with ZoneAlarm Pro(ZAP)firewall. Here is
my setup:

I have a desktop with win XP Pro and a laptop with win XP home and ZAP
5.5.062.011.

With ZAP off(not loaded) and Win XP Firewall Off I can see both computers in my
Workgroup network and can access the files in each.

With ZAP On and WinXP firewall Off I get the error message that the "Workgroup
is unavailable".

My settings are:
In ZAP's FireWall->Zones I have Internet Zone=High and Trusted Zone=Med. In the
Firewall->Zones I have The Gateway xxx.xxx.xxx.0/255.xxx.xxx.xxx=Network=Trusted
(I put IP XXX for security). I have the DHCP gate xxx.xxx.xxx.1 = IP
addess=Trusted. I entered each of the DNS IP's as Trusted. I put in the router
assignment xxx.xxx.xxx.xxx to xxx.xxx.xxx.255 IP Range = Trusted .

In Program Control->Programs I have set "Generic Host Process"
Access->Trusted,Internet checked ON. Server->Trusted checked On and
Server->Internet "X" off.

Where can I find the proper settings for ZAP?

Thanks.

 

[Chuck]

Thanks Chuck the problem seems to be with ZoneAlarm Pro(ZAP)firewall. Here is
my setup:

I have a desktop with win XP Pro and a laptop with win XP home and ZAP
5.5.062.011.

With ZAP off(not loaded) and Win XP Firewall Off I can see both computers in my
Workgroup network and can access the files in each.

With ZAP On and WinXP firewall Off I get the error message that the "Workgroup
is unavailable".

My settings are:
In ZAP's FireWall->Zones I have Internet Zone=High and Trusted Zone=Med. In the
Firewall->Zones I have The Gateway xxx.xxx.xxx.0/255.xxx.xxx.xxx=Network=Trusted
(I put IP XXX for security). I have the DHCP gate xxx.xxx.xxx.1 = IP
addess=Trusted. I entered each of the DNS IP's as Trusted. I put in the router
assignment xxx.xxx.xxx.xxx to xxx.xxx.xxx.255 IP Range = Trusted .

In Program Control->Programs I have set "Generic Host Process"
Access->Trusted,Internet checked ON. Server->Trusted checked On and
Server->Internet "X" off.

Where can I find the proper settings for ZAP?

Thanks.

Dennis,

With ZAP, there are two settings:
- Set the scope of the Trusted Zone (use fixed ip addresses if possible).
- Set Security level for the Trusted Zone.

See The ZAP V5.5 User Manual:
<http://download.zonelabs.com/bin/media/pdf/zaclient55_user_manual.pdf>

Remember to turn WF off using the WF applet - don't stop the WF/ICS service.

 

[Dennis]

Dennis,

With ZAP, there are two settings:
- Set the scope of the Trusted Zone (use fixed ip addresses if possible).
- Set Security level for the Trusted Zone.

See The ZAP V5.5 User Manual:
<http://download.zonelabs.com/bin/media/pdf/zaclient55_user_manual.pdf>

Remember to turn WF off using the WF applet - don't stop the WF/ICS service.

Thanks Chuck.

The service "Internet connection Firewall(ICF)/Internet connection sharing(CS)
is set to manual but it is not "Started". Should it be set to Automatic?

I used a range of router assign IPs in the ZAP trusted zone. Do you mean to add
each one of the router assign IPs separately?

The security level for the trusted zone is "Medium" should it be set to "Low"?

Thanks for your help.

 

[Chuck]

Thanks Chuck.

The service "Internet connection Firewall(ICF)/Internet connection sharing(CS)
is set to manual but it is not "Started". Should it be set to Automatic?

I used a range of router assign IPs in the ZAP trusted zone. Do you mean to add
each one of the router assign IPs separately?

The security level for the trusted zone is "Medium" should it be set to "Low"?

Thanks for your help.

Dennis,

ICF/ICS should be Started and Automatic.

With ZAP, "Trusted Zone Security = Medium" = "Access to Windows services, file
and printer shares is allowed.".

Do you have a wired or wireless LAN? If a wired LAN, where YOU control the
network, you're safe enough setting the Trusted Zone = the subnet. From your
description of "a small number of laptops and desktops" I was thinking a
wireless LAN. If a wireless LAN, I urge you to protect yourself a bit more
carefully, including individual, fixed ip addresses on all computers (not just
wireless computers), and open ZAP only to those assigned addresses.
<http://nitecruzr.blogspot.com/2005/05/setting-up-wifi-lan-please-protect.html>

 

[Dennis]

Dennis,

ICF/ICS should be Started and Automatic.

With ZAP, "Trusted Zone Security = Medium" = "Access to Windows services, file
and printer shares is allowed.".

Do you have a wired or wireless LAN? If a wired LAN, where YOU control the
network, you're safe enough setting the Trusted Zone = the subnet. From your
description of "a small number of laptops and desktops" I was thinking a
wireless LAN. If a wireless LAN, I urge you to protect yourself a bit more
carefully, including individual, fixed ip addresses on all computers (not just
wireless computers), and open ZAP only to those assigned addresses.
<http://nitecruzr.blogspot.com/2005/05/setting-up-wifi-lan-please-protect.html>

Thanks again for your help.

Yes I do have a few Laptops on one wireless access point (WAP) that's connected
to the Linksys wired router. The WAP is password protected so no outside
wireless computers can access it.

Are you suggesting that in the tcp/ip protocol on each computer, that I assign a
IP address and subnet mask instead of using the "Obtain IP Address
Automatically" option in TCP/IP properties?

the Trusted Zone = the subnet means 255.255.255.0 ?

Dennis

 

[Chuck]

Thanks again for your help.

Yes I do have a few Laptops on one wireless access point (WAP) that's connected
to the Linksys wired router. The WAP is password protected so no outside
wireless computers can access it.

Are you suggesting that in the tcp/ip protocol on each computer, that I assign a
IP address and subnet mask instead of using the "Obtain IP Address
Automatically" option in TCP/IP properties?

the Trusted Zone = the subnet means 255.255.255.0 ?

Dennis

Dennis,

The Trusted Zone, if for the subnet, is controlled by the 255.255.255.0 yes.
Meaning that's 255 addresses you would trust. If you only have say a dozen
computers, that would include 240+ addresses open to abuse.

If you have a wireless LAN (ie can't control the physical media like with a
wired LAN), you ought to permit access thru the firewall on each computer only
to known computers that YOU own. If an intruder associated with your WAP, and
you were Trusting your subnet, he would be half in already. If you trust only
individual ip addresses, assigned by you, he would have a harder time getting
thru your personal firewalls. And if you manually assign ip addresses, he would
have to figure out your subnet before he could assign himself an address.

Do you understand how incredibly stupid Walter Nowakowski (the wardriver
mentioned in the first link from my webpage) was? Yet he was surfing away.
Imagine how smart the smart wardrivers are. If you're going to have a WLAN, you
better not make it easily available. The folks that provided service that
Walter hijacked were so lucky that he got caught, and they probably don't even
know that they were providing his service.

 

[Dennis]

Dennis,

The Trusted Zone, if for the subnet, is controlled by the 255.255.255.0 yes.
Meaning that's 255 addresses you would trust. If you only have say a dozen
computers, that would include 240+ addresses open to abuse.

If you have a wireless LAN (ie can't control the physical media like with a
wired LAN), you ought to permit access thru the firewall on each computer only
to known computers that YOU own. If an intruder associated with your WAP, and
you were Trusting your subnet, he would be half in already. If you trust only
individual ip addresses, assigned by you, he would have a harder time getting
thru your personal firewalls. And if you manually assign ip addresses, he would
have to figure out your subnet before he could assign himself an address.

Do you understand how incredibly stupid Walter Nowakowski (the wardriver
mentioned in the first link from my webpage) was? Yet he was surfing away.
Imagine how smart the smart wardrivers are. If you're going to have a WLAN, you
better not make it easily available. The folks that provided service that
Walter hijacked were so lucky that he got caught, and they probably don't even
know that they were providing his service.

I'm a little confused on what a subnet is. My router network ip is xxx.xxx.1.0
and it's subnet is 255.255.255.0. the gateway is xxx.xxx.1.1 Let's suppose that
I've restricted all my computers in the router to be on xxx.xxx.1.200 to
xxx.xxx.1.255. Let further suppose that I have 4 computers on the network.
What would be the subnet addresses I would put into ZAP's firewall zones?

Thanks again for all your help!

 

[Chuck]

I'm a little confused on what a subnet is. My router network ip is xxx.xxx.1.0
and it's subnet is 255.255.255.0. the gateway is xxx.xxx.1.1 Let's suppose that
I've restricted all my computers in the router to be on xxx.xxx.1.200 to
xxx.xxx.1.255. Let further suppose that I have 4 computers on the network.
What would be the subnet addresses I would put into ZAP's firewall zones?

Thanks again for all your help!

Dennis,

If you have 4 computers, plus the router, on the LAN, with a subnet mask of
255.255.255.0, that leaves 250 possible addresses to be hijacked by a wardriver.

The only secure setup in the ZAP Trusted Zone would be individual entries - the
router, plus the 4 computers, one entry at a time.

The router subnet setting determines your subnet. If the router LAN IP address
is xxx.xxx.1.1, and the subnet mask is 255.255.255.0, the subnet will be
xxx.xxx.1.0/24 (another way of saying xxx.xxx.1.1 / 255.255.255.0). This gives
you a subnet with 255 possible host addresses (0 - 254) (you can't use address
255 - it's for broadcasts).

Now, how did you restrict the computers? Would that be the DHCP scope? If so,
that only says that the DHCP server will assign addresses xxx.xxxx.1.200 -
xxx.xxx.1.254. But even though the DHCP scope covers only 200 - 254, any
computer can assign itself a fixed ip address of anywhere in 0 - 254 (less of
course the address used by the router LAN address, generally but not always 1).

If the subnet permits 255 addresses, the scope of the DHCP server only restricts
DHCP assignments. It doesn't restrict addresses that can be used. If you
restrict your DHCP scope to whatever, a wardriver can still assign himself any
address inside or outside that range, but on the subnet.

The only valid way to restrict by subnet is to setup a subnet mask properly.
This means that YOUR computer population has to be conveniently numbered at
exactly a power of 2 less 1. Simplest example - if you have 255 computers, a
subnet mask 255.255.255.0 would work. If you have 127 computers, use
255.255.255.128. If 63 computers, use 255.255.255.192. Do you see the
mathematical sequence here?

If you have 4 computers plus a router, you have 5 addresses. You could use
255.255.255.248, which would give 7 possible addresses. This would leave 2
addresses for use by any wardriver that associates with the WAP, and DHCP will
happily assign one if requested.

For any subnet, restricting purely by subnet is a dodgy procedure.

 

[Dennis]

If you have 4 computers, plus the router, on the LAN, with a subnet mask of
255.255.255.0, that leaves 250 possible addresses to be hijacked by a wardriver.

The only secure setup in the ZAP Trusted Zone would be individual entries - the
router, plus the 4 computers, one entry at a time.

The router subnet setting determines your subnet. If the router LAN IP address
is xxx.xxx.1.1, and the subnet mask is 255.255.255.0, the subnet will be
xxx.xxx.1.0/24 (another way of saying xxx.xxx.1.1 / 255.255.255.0). This gives
you a subnet with 255 possible host addresses (0 - 254) (you can't use address
255 - it's for broadcasts).

Now, how did you restrict the computers? Would that be the DHCP scope? If so,
that only says that the DHCP server will assign addresses xxx.xxxx.1.200 -
xxx.xxx.1.254. But even though the DHCP scope covers only 200 - 254, any
computer can assign itself a fixed ip address of anywhere in 0 - 254 (less of
course the address used by the router LAN address, generally but not always 1).

If the subnet permits 255 addresses, the scope of the DHCP server only restricts
DHCP assignments. It doesn't restrict addresses that can be used. If you
restrict your DHCP scope to whatever, a wardriver can still assign himself any
address inside or outside that range, but on the subnet.

The only valid way to restrict by subnet is to setup a subnet mask properly.
This means that YOUR computer population has to be conveniently numbered at
exactly a power of 2 less 1. Simplest example - if you have 255 computers, a
subnet mask 255.255.255.0 would work. If you have 127 computers, use
255.255.255.128. If 63 computers, use 255.255.255.192. Do you see the
mathematical sequence here?

If you have 4 computers plus a router, you have 5 addresses. You could use
255.255.255.248, which would give 7 possible addresses. This would leave 2
addresses for use by any wardriver that associates with the WAP, and DHCP will
happily assign one if requested.

For any subnet, restricting purely by subnet is a dodgy procedure.

Ok Thanks I've really learned a lot!

So what you are saying is to assign each computer a static IP and subnet like
xxx.xxx.1.200/255.255.255.248. In the ZAP Firewall Zone only put the assigned
static IP's in the Trusted Zone.

The ZAP Trusted network would still be xxx.xxx.1.0/255.255.255.248?
In the LinkSys router I would put the xxx.xxx.1.1 and 255.255.255.248 as the
IP/Subnet mask?

If I use static IPs for each computer and in the ZAP Firewall Zones does it
matter if I also change the subnet from 255.255.255.0 to 255.255.255.248?

 

[Chuck]

Ok Thanks I've really learned a lot!

So what you are saying is to assign each computer a static IP and subnet like
xxx.xxx.1.200/255.255.255.248. In the ZAP Firewall Zone only put the assigned
static IP's in the Trusted Zone.

The ZAP Trusted network would still be xxx.xxx.1.0/255.255.255.248?
In the LinkSys router I would put the xxx.xxx.1.1 and 255.255.255.248 as the
IP/Subnet mask?

If I use static IPs for each computer and in the ZAP Firewall Zones does it
matter if I also change the subnet from 255.255.255.0 to 255.255.255.248?

Dennis,

Any computer on a subnet has to have an ip address with the same subnet, plus an
identical subnet mask, assigned to it, either by DHCP, or as a static setting.

In ZAP Trusted Zone on each computer, you only enter the fixed ip address of
each computer (and the router). You only enter the subnet mask in one place.
If you use DHCP (which I strongly suggest you don't do), in the DHCP
configuration on the router. If you're using fixed IP settings, you enter:
- IP Address
- Subnet Mask
- Default Gateway
- DNS Servers
In the TCP/IP Properties wizard on each computer. Just enter an identical
subnet mask everywhere, or you will have problems. If the ZAP Trusted Zone
depends only upon fixed, individual ip addresses, you can use any convenient
subnet mask (theoretically you could use 255.255.0.0, if you had 255 x 255
computers on the LAN, but your router would probably crash and burn before
long), safely.

 

[Dennis]

Any computer on a subnet has to have an ip address with the same subnet, plus an
identical subnet mask, assigned to it, either by DHCP, or as a static setting.

In ZAP Trusted Zone on each computer, you only enter the fixed ip address of
each computer (and the router). You only enter the subnet mask in one place.
If you use DHCP (which I strongly suggest you don't do), in the DHCP
configuration on the router. If you're using fixed IP settings, you enter:
- IP Address
- Subnet Mask
- Default Gateway
- DNS Servers
In the TCP/IP Properties wizard on each computer. Just enter an identical
subnet mask everywhere, or you will have problems. If the ZAP Trusted Zone
depends only upon fixed, individual ip addresses, you can use any convenient
subnet mask (theoretically you could use 255.255.0.0, if you had 255 x 255
computers on the LAN, but your router would probably crash and burn before
long), safely.

Thanks Chuck.

One last question. Instead of changing to fixed IP's for each computer wouldn't
it be just as safe to use the Linksys WAP's filter to only allow my PC's with
certain MAC addresses to access the WAP? So the WAP would have WEP and MAC
filters for protection from outside sources. How easy would it be to spoof a
MAC address and WEP?

 

[Chuck]

Thanks Chuck.

One last question. Instead of changing to fixed IP's for each computer wouldn't
it be just as safe to use the Linksys WAP's filter to only allow my PC's with
certain MAC addresses to access the WAP? So the WAP would have WEP and MAC
filters for protection from outside sources. How easy would it be to spoof a
MAC address and WEP?

Dennis,

MAC address filtering is one component of WiFi security, but it's also one of
the weakest. Most Windows XP network driver wizards have, in the GUI, a place
to change the MAC address.

Under Local Area Connection - Properties, hit Configure. This takes you to the
wizard for the network card. On the Advanced tab, is there an entry "Network
Address"? See if it lets you type one in (you can select a Value window on
mine).

Any wardriver knows how to change the MAC address. That's actually a key step
in a man in the middle aka evil twin hijack.

As far as WEP, fuggetaboutit. WEP is almost no security by itself, just
slightly better than MAC address filtering.
<http://nitecruzr.blogspot.com/2005/05/wep-just-isnt-enough-protection.html>
<http://nitecruzr.blogspot.com/2005/05/setting-up-wifi-lan-please-protect.html>

 

[Dennis]

MAC address filtering is one component of WiFi security, but it's also one of
the weakest. Most Windows XP network driver wizards have, in the GUI, a place
to change the MAC address.

Under Local Area Connection - Properties, hit Configure. This takes you to the
wizard for the network card. On the Advanced tab, is there an entry "Network
Address"? See if it lets you type one in (you can select a Value window on
mine).

Any wardriver knows how to change the MAC address. That's actually a key step
in a man in the middle aka evil twin hijack.

As far as WEP, fuggetaboutit. WEP is almost no security by itself, just
slightly better than MAC address filtering.
<http://nitecruzr.blogspot.com/2005/05/wep-just-isnt-enough-protection.html>
<http://nitecruzr.blogspot.com/2005/05/setting-up-wifi-lan-please-protect.html>

Yipes! I guess I better upgrade to a WAP that at least has WPA encryption.

Thanks again.

 

[Chuck]

Yipes! I guess I better upgrade to a WAP that at least has WPA encryption.

Thanks again.

You're welcome, Dennis. Please let us know how everything works out for you.

 

[Dennis]

You're welcome, Dennis. Please let us know how everything works out for you.

Sorry one more security question that I just thought of.

My Son has a laptop and when he comes home from school he likes to connect to
our network through the wireless WAP.

One of my fears is that since he uses instant messages through AOL and has Kazaa
that a hacker would be able to get into my network through his laptop. Until
now that was not a problem because his laptop could not see my network because
of my network non mapping problems discussed before. But now all the computers
on the network can see each other.

If I assign static IP's to my work computers and have ZAP only allow those
Static IP' in the trusted zone is that enough to protect those computers from
hackers that may enter through my Son's laptop?

Thanks for your help

Dennis

 

[Chuck]

Sorry one more security question that I just thought of.

My Son has a laptop and when he comes home from school he likes to connect to
our network through the wireless WAP.

One of my fears is that since he uses instant messages through AOL and has Kazaa
that a hacker would be able to get into my network through his laptop. Until
now that was not a problem because his laptop could not see my network because
of my network non mapping problems discussed before. But now all the computers
on the network can see each other.

If I assign static IP's to my work computers and have ZAP only allow those
Static IP' in the trusted zone is that enough to protect those computers from
hackers that may enter through my Son's laptop?

Thanks for your help

Dennis

Dennis,

That's a valid concern, and one that may take some thought. There are known
"combined threats" which start from a trojan or virus (not the same thing)
entering a network on a single point (ie an IM or P2P session), and spreading as
a worm thru an otherwise unprotected network.

I believe ZAP contains stateful features (ie better than just "this external ip
address has access to this specific local port"), so it would hopefully protect
against at least some threats that might enter thru your sons laptop. Are you
planning to give your son access to any shared folders or printers, or just
access to the Internet?

 

[Dennis]

Dennis,

That's a valid concern, and one that may take some thought. There are known
"combined threats" which start from a trojan or virus (not the same thing)
entering a network on a single point (ie an IM or P2P session), and spreading as
a worm thru an otherwise unprotected network.

I believe ZAP contains stateful features (ie better than just "this external ip
address has access to this specific local port"), so it would hopefully protect
against at least some threats that might enter thru your sons laptop. Are you
planning to give your son access to any shared folders or printers, or just
access to the Internet?

I want to block my Son's access to any shared folders but not the printer that
is on a USB linksys Server.

My Sons laptop has to have a dynamic IP because he has to connect at school
which has a different set of internal IP's than my router.

As an experiment I set my Laptop to a fixed IP address and on the desktop ZAP I
deleted all Trusted DHCP zones. I could not delete the trusted network in ZAP
which was xxx.xxx.1.0/255.255.255.0 for ZAP would not allow.

The laptop still had full access to the desktop's folders.

I blocked xxx.xxx.1.1 to xxx.xxx.1.255 in ZAP but I could still access the
decktop computers shared files.

How do you block all IPs except those that you trust?

Thanks.

 

[Dennis]

I want to block my Son's access to any shared folders but not the printer that
is on a USB linksys Server.

My Sons laptop has to have a dynamic IP because he has to connect at school
which has a different set of internal IP's than my router.

As an experiment I set my Laptop to a fixed IP address and on the desktop ZAP I
deleted all Trusted DHCP zones. I could not delete the trusted network in ZAP
which was xxx.xxx.1.0/255.255.255.0 for ZAP would not allow.

The laptop still had full access to the desktop's folders.

I blocked xxx.xxx.1.1 to xxx.xxx.1.255 in ZAP but I could still access the
decktop computers shared files.

In experimenting, I assigned fixed sequencial IP's to the computers that need to
share files. In the router I have the DHCP Server assign the starting IP
addresses outside of my fixed IP range. In ZAP I block all IP's outside this
range. This seemed to block those computers that were outside the fixed IP
range. If I set the subnet to 255.255.255.240 this will limit the total IP's to
15

The problem is that if a hacker was able to determine my fixed IPs and one of or
more of the computers with a fixed IP was not up the hacker would be able to
access the shared files. A lot of if's but possible?