Windows Firewall Weirdness on Multi-Home Machine

  • Thread starter Thread starter Jamie Hankins
  • Start date Start date
J

Jamie Hankins

My laptop is running XPSP2 with all updates. It has an Intel 2915abg WNIC
(named WIRELESS) and a Intel Pro/100VE (named WIRED).

For exceptions, I have "File and Printer Sharing", "Network Diagnostics for
Windows XP", "Remote Assistance", "Remote Desktop", and "Windows Live
Messenger".

From another computer, I can ping WIRED, but not WIRELESS. Under the
Advanced tab, if I disable firewall on WIRELESS, it still doesn't work.
However, if I leave it enabled on WIRELESS and disable the firewall on WIRED,
suddenly, I can see WIRELESS from the other computer. I went into "ICMP
settings" and made sure that "Allow incoming echo request" was selected.

If I completely disable WIRED, then WIRELESS works perfectly.

Why would enabling or disabling the firewall on the other NIC matter?

Another data point is that SMB (File and Printer Sharing) works regardless
of whether the firewall is enabled on either card as long as the exception
for it is enabled.

I don't really care of I can ping this machine or not, but Remote Desktop
also doesn't work when I try to connect using the WIRELESS IP when the
firewall is active on WIRED.
 
My laptop is running XPSP2 with all updates. It has an Intel 2915abg WNIC
(named WIRELESS) and a Intel Pro/100VE (named WIRED).

For exceptions, I have "File and Printer Sharing", "Network Diagnostics for
Windows XP", "Remote Assistance", "Remote Desktop", and "Windows Live
Messenger".

From another computer, I can ping WIRED, but not WIRELESS. Under the
Advanced tab, if I disable firewall on WIRELESS, it still doesn't work.
However, if I leave it enabled on WIRELESS and disable the firewall on WIRED,
suddenly, I can see WIRELESS from the other computer. I went into "ICMP
settings" and made sure that "Allow incoming echo request" was selected.

If I completely disable WIRED, then WIRELESS works perfectly.

Why would enabling or disabling the firewall on the other NIC matter?

Another data point is that SMB (File and Printer Sharing) works regardless
of whether the firewall is enabled on either card as long as the exception
for it is enabled.

I don't really care of I can ping this machine or not, but Remote Desktop
also doesn't work when I try to connect using the WIRELESS IP when the
firewall is active on WIRED.
Click to expand...

I assume that WIRED and WIRELESS have IP addresses in the same subnet.
When both connections are enabled, Windows XP will use only one of
them to send packets out to the network. By default, it will send
packets out using WIRED, based on automatic metric assignment, as
described here:

An explanation of the Automatic Metric feature for Internet Protocol
routes
http://support.microsoft.com/?id=299540

So when a ping or a remote desktop connection request arrives on
WIRELESS, Windows XP will try to send the reply using WIRED, and the
firewall on WIRED can block it. In that case, disabling the firewall
on WIRED lets the reply through.

When you disable the WIRED connection, Windows XP usees WIRELESS to
send the reply.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
 
Steve Winograd said:
I assume that WIRED and WIRELESS have IP addresses in the same subnet.
When both connections are enabled, Windows XP will use only one of
them to send packets out to the network. By default, it will send
packets out using WIRED, based on automatic metric assignment, as
described here:
Click to expand...

Yes, that's definitely what's happening. That's the situation that kb
907717 was supposed to fix, but apparently doesn't because this is in my
pfirewall.log:
2008-04-07 13:30:43 DROP ICMP 10.0.0.71 10.0.0.80 - - 60 - - - - 0 0 - SEND

I also found that if more than one NIC renews its lease, then whichever one
renewed it last is what's returned by the DNS server instead of the DNS
server returning addresses for all NICs for that hostname. Ideally, it would
return the list ordered in order of interface metric.

I suppose I could dig around and see if I could get the wireless NIC to not
register with DNS, but that wouldn't be desirable when the laptop isn't
docked.

I think that pretty much means that when I'm accessing this laptop remotely
on my network, I'm just going to have to disable the wireless NIC. There's a
switch on the side to turn wireless off, but it also turns bluetooth off.
Maybe I'll write an on and an off script and leave them on the desktop or
assign hotkeys to them.

Thanks much for your help.

Jamie
 
Yes, that's definitely what's happening. That's the situation that kb
907717 was supposed to fix, but apparently doesn't because this is in my
pfirewall.log:
2008-04-07 13:30:43 DROP ICMP 10.0.0.71 10.0.0.80 - - 60 - - - - 0 0 - SEND
Click to expand...

Yes, the KB would seem to have the fix.
I also found that if more than one NIC renews its lease, then whichever one
renewed it last is what's returned by the DNS server instead of the DNS
server returning addresses for all NICs for that hostname. Ideally, it would
return the list ordered in order of interface metric.
Click to expand...

I don't think that the DNS server knows the interface metrics for the
NICs.
I suppose I could dig around and see if I could get the wireless NIC to not
register with DNS, but that wouldn't be desirable when the laptop isn't
docked.

I think that pretty much means that when I'm accessing this laptop remotely
on my network, I'm just going to have to disable the wireless NIC. There's a
switch on the side to turn wireless off, but it also turns bluetooth off.
Maybe I'll write an on and an off script and leave them on the desktop or
assign hotkeys to them.
Click to expand...

You could leave the wireless NIC enabled and do ipconfig/release on
it. That would make all network access use the wired NIC, and it
wouldn't affect Bluetooth.
Thanks much for your help.
Click to expand...

You're welcome!
Jamie
Click to expand...
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
 
Back
Top