Windows 2000 Causes Excessive Internet Dialups

[Bill Glidden]

For some reason Windows 2000 causes NIAS to dial our ISP at unwanted times.
Like when the PC starts up or Explorer is opened or even certain
applications. This is annoying and is getting expensive. Any ideas on how
to control this?
Many thanks,
Bill

[Andy Thompson]

Try filtering netbios traffic from the NIC interface using filtcfg on the
server.

--

Andy Thompson
Novell Support Connection Volunteer SysOp

[Bill Glidden]

Thanks, Andy. I am not at the site in question, so I can't see whether
netbios is available in the Protocol Filters menu. Not avail on 4.11
server I'm looking at right now. System with issue is SBS 4.2.
Cheers,
Bill
"Andy Thompson" <thom...@nscsysop.com> wrote in message
news:3D2E6576...@nscsysop.com...

[Andy Thompson]

> Thanks, Andy. I am not at the site in question, so I can't see whether
> netbios is available in the Protocol Filters menu. Not avail on 4.11
> server I'm looking at right now. System with issue is SBS 4.2.

You just need to block ports 137-139. If there is not a netbios definition
specifically, you can create one real quick

[Warren Frush]

Check to make sure the server isn't doing an echo every three seconds.
It's been a while since I was poking around in these settings, but in
INETCFG, in the TCP protocol section, I think, there's a setting for
echo frequency. Mine were echoing every three seconds. I had to turn
this off to get my servers to disconnect during periods of no
activity.

On my Windows 2000 Pro station running 4.83 client, I have a personal
firewall. Using it, I found that my machine is receiving 74 bytes of
data from SVRLOC-DA.MCAST.NET at 224.0.1.35.

This is a multicast that searches for directory agents and it acts
like a local address on my system. Your clients might be checking for
directory agents as well, causing a dial-up event.

Warren

[Stuart Robinson]

I thought the dialup was triggered by the network activity itself into the
server, and not triggered by the output of the filters.

Stuart.

[Andy Thompson]

>
> I thought the dialup was triggered by the network activity itself into the
> server, and not triggered by the output of the filters.
>

It could be SLP on the server, but if it is indeed the 2k machine, then
filtering netbios broadcasts at the NIC will stop the server from
forwarding them to the dial up and triggering the link.

[Stuart Robinson]

Are netbios packets treated differently to normal tcp/ip then ?

Craig Johnsons book on packet filtering (V1 of a Begginers Guide to Packet
Filtering p122) says in relation to tcp/ip that;

'first a dial up link is opened and THEN filtering is activated'

Stuart.

[Andy Thompson]

Yes, for server generated traffic. All traffic is blocked at the NIC so
the server never forwards the traffic along to the modem, and there will
be nothing to activate or filter at that interface.

[Tim Scotland]

Which Groupwise client are they using. I had one site which had a
dial up problem (other than Netbios) that was running GW5.5 client
with SP1 They had the client open with the multi user calendar and
that caused NIAS to dial up. Equally every time they changed away and
back to the Multi user calendar it would dial up. Changing the GW
client to SP3 or later fixed the problem.

Tim

On Fri, 12 Jul 2002 04:23:50 GMT, "Bill Glidden"
<bgli...@bigpond.net.au> wrote:

**********************
Scotland
God's Country
**********************
Volunteer SYSOP
No Direct Mail Please.

[Paul Cowper]

Like Stuart, I am doubtful that the filters will work - I've been down that
route before.

On the Win2K machine, you can disable NetBIOS over TCP/IP - that cured it for
me - TCPIP Properties->Advanced->Wins.

.Paul.MA

[Stuart Robinson]

> Yes, for server generated traffic.

Not sure what you are saying yes too ?

> All traffic is blocked at the NIC so
> the server never forwards the traffic along to the modem

Can you block traffic AT an interface ?

I always thought you could only block traffic BETWEEN interfaces.

The point Craig seems to make is that in the case of dial-up (NIAS) the
filters cant work because until the connection is established there is no
interface for the filters to work on.

Stuart.

[Andy Thompson]

> > Yes, for server generated traffic.
>
> Not sure what you are saying yes too ?
>

The link is brought up and then filtering does it's thing. For server
generated traffic, this is obviously a problem since you can't block the
modem interface from seeing the traffic. In the case of LAN generated
traffic, the modem will never see the traffic if you don't let it.

> > All traffic is blocked at the NIC so
> > the server never forwards the traffic along to the modem
>
> Can you block traffic AT an interface ?
>

Source <any> destination <specific interface>

> The point Craig seems to make is that in the case of dial-up (NIAS) the
> filters cant work because until the connection is established there is no
> interface for the filters to work on.

True... for any traffic that is sent along to the modem... if the traffic
doesn't hit the modem, there is no reason for it to dial. In the extreme
case, disabling IP forwarding and relying strictly on proxies should
effectively do the same thing.

[Stuart Robinson]

Then I am not sure what Craig is implying, when he says that you cant
filter traffic that brings up a Dial Up connection.

The solution suggested is another dial-up router upstream of the BM server
where you can then filter traffic reaching the router.

Stuart.

[Bill Glidden]

Sorry, I missed this post Paul. Looks like you have experienced and nailed
the same issue. If it is netbios traffic, then killing it at source makes
very good sense. Thanks a lot.

"Paul Cowper" <paul....@marda.com> wrote in message
news:3D2F4396...@marda.com...

[Bill Glidden]

We are not using GroupWise. Thank you all for your insight on this. I will
have a go at applying it when I get a chance and let you know how I go.
Looks like netbios filtering would be a good place to start.
Cheers,
Bill
"Tim Scotland" <t...@iqx.co.uk> wrote in message
news:6qbuiu45a7fum3m1a...@4ax.com...

[Andy Thompson]

> Then I am not sure what Craig is implying, when he says that you cant
> filter traffic that brings up a Dial Up connection.
>

Traffic generated by the server itself cannot be filtered, most noteably SLP
traffic in NW5x/6x servers.

[Bill Glidden]

OK, this is what I have tried. Turned on netbios (tcp & udp) filters,
disabled netbios over TCP/IP on the Win2K PCs, turned off auto live update
on NAV, disabled Altiris remote manager (these are Compaq boxes), turned off
file&print sharing and microsoft networking. Result: when PC is restarted,
there is still a dialup happening just after logging in (using latest
Netware client and patch). Subsequent logging off and on does not trigger
dialup. Line drops OK after set time. Does seem to have settled down from
what was happening previously. Even opening up the printer window would
cause dialup. Could SLP be causing this, even though we are using NWSB4.2?
Any more ideas, anyone?
Cheers,
Bill

"Paul Cowper" <paul....@marda.com> wrote in message
news:3D2F4396...@marda.com...

[Andy Thompson]

> OK, this is what I have tried. Turned on netbios (tcp & udp) filters,
> disabled netbios over TCP/IP on the Win2K PCs, turned off auto live update
> on NAV, disabled Altiris remote manager (these are Compaq boxes), turned off
> file&print sharing and microsoft networking. Result: when PC is restarted,
> there is still a dialup happening just after logging in (using latest
> Netware client and patch). Subsequent logging off and on does not trigger
> dialup. Line drops OK after set time. Does seem to have settled down from
> what was happening previously. Even opening up the printer window would
> cause dialup. Could SLP be causing this, even though we are using NWSB4.2?
> Any more ideas, anyone?

Try removing DNS from the name search order on the protocol preferences tab
under your client properties.

[Johan]

If you have Netware 4.x and therefore don't use IP for NCP the easiest way
to solve your problems is to reinstall the Netware clients with IPX only
(custom install),

Johan

[Bill Glidden]

I will try this Andy. Is the Netware client doing a DNS lookup when it
first logs in then?

Cheers,
Bill
"Andy Thompson" <thom...@nscsysop.com> wrote in message

news:3D33FA99...@nscsysop.com...

[Bill Glidden]

Yeah, but what about IP? Can I use Microsoft IP stack when Netware client
is using IPX only? I have never tried this.
Cheers,
Bill
"Johan" <johan_no_spamr@no_spam.nl> wrote in message
news:xGTY8.35$Mm1...@prv-forum2.provo.novell.com...

[Andy Thompson]

> I will try this Andy. Is the Netware client doing a DNS lookup when it
> first logs in then?

Part of the NW5x IP support. If you have don't have 5x or don't want IP
connections to your server, you can reinstall the client IPX only.

[Johan]

Sure you can, it only means that the Netware client will not use IP to
connect to the server. The Internet explorer etc will still continue to work
using the MS IP stack,

Johan

"Bill Glidden" <bgli...@bigpond.net.au> schreef in bericht
news:jebZ8.31$Dq3...@prv-forum2.provo.novell.com...

[Ken McLeod]

Hi Bill,

I didin'r read the entire thread to see if you
solved this, but just in case:

I had this problem and resolved it. If you search
in the KB using "dial on demand" or "dun" you will
find the problem. It has to do with RIP and SLP,
as I recall.

You can check TID 10014838 but there are others.
Look in the KB under "dial on demand."

You basically have to turn off everything on the
workstation that is seeking to access the net.

Cheers,
Ken

--
* Ken McLeod
* Computer Overseer
* THE DELPHIAN SCHOOL
* 20950 SW Rock Creek Road
* SHERIDAN, OR 97378
* http://www.delphian.org

[Bill Glidden]

Hi Ken,
Found the TID and applied fix. No difference. I am now at the services
level to see what is starting up and looking for something not on the LAN.
I think going broadband would be much easier!
Cheers,
Bill
"Ken McLeod" <kmc...@delphian.org> wrote in message
news:3D359DF0...@delphian.org...

[Bill Glidden]

Uninstall and reinstall of Netware client IPX-only made no difference.

"Johan" <johan_no_spamr@no_spam.nl> wrote in message

news:1WbZ8.19$BC3...@prv-forum2.provo.novell.com...

[Johan]

Some troubeshooting tips: connect only 1 PC to the server, reboot it and see
if it still produces a dial-up.

Before the reboot enter this command on the server console: set tcp ip debug
=1

On the console you should see what packet triggers the dial-up. It should be
captured in the conlog too. If you don't recognize the packet you can post
that part of the conlog here and maybe someone else will understand,

Johan

"Bill Glidden" <bgli...@bigpond.net.au> schreef in bericht

news:1zvZ8.29$hG5...@prv-forum2.provo.novell.com...

[Ken McLeod]

Well, you're right about broadband! <g>

It did take a while to find what I needed to get
my machines to stop dialling out, but the answers
were in the TIDs.

As I said, one of the things (and I couldn't
locate the TID again) had to do with SLP. You
could try unloading SLPTCP at the server and see
if the problem goes away. That is one thing I do
recall, but I don't recall if it was all of the
fix ...

Bill Glidden wrote:
>
> Found the TID and applied fix. No difference. I am now at the services
> level to see what is starting up and looking for something not on the LAN.
> I think going broadband would be much easier!

--

[Bill Glidden]

Hi Ken,
This is a SBS 4.2 server so SLP is not in the equation. I am going to try
and see what is going on at the packet level as suggested by Johan above.

Cheers,
Bill
"Ken McLeod" <kmc...@delphian.org> wrote in message

news:3D36EEDF...@delphian.org...

[Bill Glidden]

Thanks for the suggestion Johan. This will work on 4.2?

Cheers,
Bill
"Johan" <johan_no_spamr@no_spam.nl> wrote in message

news:LOyZ8.35$j26...@prv-forum2.provo.novell.com...

[Johan]

Yes, it will work on Netware 4.x

Johan

"Bill Glidden" <bgli...@bigpond.net.au> schreef in bericht

news:l4SZ8.13$KN....@prv-forum2.provo.novell.com...

[Johan]

Bill,

its a workstation (192.168.0.13) doing a DNS lookup. I am surprised that
reinstalling the Netware Client with IPX only didn't solve this problem but
maybe the Netware client isn't the cause of this problem. Anyhow, just to be
sure, if in the Netware client properties/protocol preferences the IP
protocol is still there you should disable DNS (and maybe SLP too) in the
protocol component settings.

If that still doesn't work another approach might be to disable the
workstations access to the DNS server (you do this by configuring the DHCP
server not to hand out this DNS server address and the default gateway
address to the workstations).

If you this the workstations will loose direct access to the Internet but
they still can access the Internet through the proxy server) if you have a
proxy server running on the server at all ..... I think NWSB 4.2 has the
Bordermanager proxy server coming with it. But this all depends on what
Internet services you want to the workstations to have availiable,

Johan

"Bill Glidden" <bgli...@bigpond.net.au> schreef in bericht

news:Wg719.2353$n.6...@prv-forum2.provo.novell.com...
> OK, here is the conlog. The second last packet triggered a dialup.

>
> "Johan" <johan_no_spamr@no_spam.nl> wrote in message

> news:xiTZ8.44$KN....@prv-forum2.provo.novell.com...

[Bill Glidden]

Johan,
There is no Netware IP on the client. I had also previously disabled SLP.
This site's NWSBS 4.2 is running Proxy Server. I am flying blind, though
when it comes to configuring it. I do know how to remove the DNS server and
gateway addresses from the DHCP server. This server has always run Border
Manager and Proxy Server but my knowledge of both of these is rudimentary at
best. Can you point me in the right direction please?

Cheers,
Bill
"Johan" <johan_no_spamr@no_spam.nl> wrote in message

news:YI719.2372$n.5...@prv-forum2.provo.novell.com...

[Johan]

Bill,

if your workstations only access the Internet through the proxy (you can see
that by looking in the Internet Explorer at Extra/Internet
options/connections/LAN and see if the LAN address of your server is listed
there as the proxy) you can disable direct Internet access for the
workstations. You must be sure that the workstations don't need the direct
Internet access for other things like accessing a POP mailbox at your ISP
with Outlook Expresss on their workstation.

If the workstations do not use the proxy sever yet but you have the proxy
server running you can try to setup Internet Explorere on the workstations
to use it: Extra/Internet options/connections/LAN/proxzy settings. Put the
LAN IP address of your server there as the proxy server and set the port
number to 8080.

If the workstations use the proxy for Internet access you don't need to
configure anything in Bordermanager. Load dhcpcfg and remove the DNS server
and gateway IP address from the proxy server. Unload and load dhcpsrvr and
reboot the workstation,

Johan

"Bill Glidden" <bgli...@bigpond.net.au> schreef in bericht

news:rEm19.3235$n.8...@prv-forum2.provo.novell.com...

[Bill Glidden]

Thanks, again Johan. Only one of the workstations needs direct access for
Outlook Express. I suppose dialup will decline somewhat if I set up all the
workstations as you suggest. I will let you know how I go.

Cheers,
Bill
"Johan" <johan_no_spamr@no_spam.nl> wrote in message

news:qys19.3378$n.9...@prv-forum2.provo.novell.com...