Question Notebooks losing DHCP on wifi connection after connecting to a another wifi earlier

[SetmeHeng]

Hello and good morning/evening/afternoon (or even midnight).

I have an issue that i don't know where it fits better. So i will post it here for now and on the progress we can change it for a better place if necessary.

We, on the company, use Ubiquiti AP to manage the wifi connections. And a few of our employees have a personal notebook (which they use to connect via VPN when they travel for clients/suppliers).
Recently, the notebooks started to have some network problems. When they connect inside the company (using the Ubiquiti APs) they lost the DHCP defined for their notebooks. (e.g.: they have a x.x.x.15 ip and got on the y.y.y.215 ip).

So the support team needs to manually place a fixed ip and change for the DHCP again to work.

Does any have any idea of what it can be?

 

[Ralston18]

Do any of the employees connect using wired while away from the office? Ensure that those laptops only have one network adapter (either wired or wireless) enabled. Not both network adapters enabled at the same time.

On each laptop run "ipconfig /all" to view the laptop's network configuration settings. Determine if the settings are a match to the expected home office network settings.

At the office the laptops should be configured to use DHCP to obtain an IP address from the office router.

Static (fixed) IP addresses should be used for office devices such as the APs, printers, NAS, etc..

Then there should be a range of DHCP IP addresses established for office laptop users. That DHCP IP address range should not include any assigned static IP addresses.

 

[bill001g]

It depends hows the VPN works. Does the VPN assign IP addresses out of the same IP pool used by users that connect locally. This can be done but it tend to be more common for the VPN to assign a different pool of IP addresses and then run NAT to allow local access.

 

[SetmeHeng]

Do any of the employees connect using wired while away from the office? Ensure that those laptops only have one network adapter (either wired or wireless) enabled. Not both network adapters enabled at the same time.

On each laptop run "ipconfig /all" to view the laptop's network configuration settings. Determine if the settings are a match to the expected home office network settings.

At the office the laptops should be configured to use DHCP to obtain an IP address from the office router.

Static (fixed) IP addresses should be used for office devices such as the APs, printers, NAS, etc..

Then there should be a range of DHCP IP addresses established for office laptop users. That DHCP IP address range should not include any assigned static IP addresses.

All connections are made via wi-fi in and out of the company. we disabled the ethernet cable after the error started.

The connections are already defined by DHCP, because if we set a static ip to work on the office, they wouldn't have connections home, etc.

Range of each equipment is different. e.g.: Computers 192.168.1.x ~ 192.168.2.x / Printers - 192.168.3.x / AP, Routers, Switches - 192.168.10.x / Servers - 192.168.11.x

 

[SetmeHeng]

It depends hows the VPN works. Does the VPN assign IP addresses out of the same IP pool used by users that connect locally. This can be done but it tend to be more common for the VPN to assign a different pool of IP addresses and then run NAT to allow local access.

Our VPN set a connection of a different range to work instead. something like 200.200.1.100.
It is a good idea to make work inside of our IP Range, but, we have 3rd parties (idk if the term is correct), which connect via VPN too.

 

[Ralston18]

"Range of each equipment is different. e.g.: Computers 192.168.1.x ~ 192.168.2.x / Printers - 192.168.3.x / AP, Routers, Switches - 192.168.10.x / Servers - 192.168.11.x "

What subnet masks are you using?

 

[SetmeHeng]

"Range of each equipment is different. e.g.: Computers 192.168.1.x ~ 192.168.2.x / Printers - 192.168.3.x / AP, Routers, Switches - 192.168.10.x / Servers - 192.168.11.x "

What subnet masks are you using?

We have a /16

 

[Ralston18]

Subnet = 255.255.0.0

"Looking in" from afar my thought is to take a look at the manual IP address configuration changes being made by the support team.

Look for errors and typo's with respect to both IP addresses and the subnet masks.

And do not overlook the role that MAC's play regarding reserved/static IP addresses.

Typos there are all too problematic.

Not putting any blame on the teams but they are usually working under pressure of some sort and it is all too easy to make an error of omission or commission.

Especially if there is a lot connection/network changing going on between wired and wireless among multiple networks: office, away, home, using VPNs, etc..

And if end users can make network related configuration changes that adds even more variables. Or users who can bring in rogue (aka "guest") devices.

Problems can quite literally go in circles if the big picture is lost.

Do you have any network discovery and mapping software?

 

[SetmeHeng]

Subnet = 255.255.0.0

"Looking in" from afar my thought is to take a look at the manual IP address configuration changes being made by the support team.

Look for errors and typo's with respect to both IP addresses and the subnet masks.

And do not overlook the role that MAC's play regarding reserved/static IP addresses.

Typos there are all too problematic.

Not putting any blame on the teams but they are usually working under pressure of some sort and it is all too easy to make an error of omission or commission.

Especially if there is a lot connection/network changing going on between wired and wireless among multiple networks: office, away, home, using VPNs, etc..

And if end users can make network related configuration changes that adds even more variables. Or users who can bring in rogue (aka "guest") devices.

Problems can quite literally go in circles if the big picture is lost.

Do you have any network discovery and mapping software?

Ok.
So i'll try to explain my side of the history here. (with the English i know, because it isn't my main language)
I am the currently responsible for all Network, Databases, Servers, Firewall and Security of the company (and the only one, in paper). I got this job at 15 months ago, and when i came here the first time, it was all static IPs.
so, for a company with more than 300 employees, we have a IT team of 6 people. The pressure is enormous. (So maybe all this errors happening can be caused by me, but i'm trying to leave this workful, securely and automated for everyone.)
Now i'm a little relief.

We have 4 VLANS internally: - Guests, Corporative, 3rd parties and Factory. which are self-explanatory.
Guests devices can only connect on Guests VLAN. others need a MAC registration (on the wi-fi manager) to succesfully connect.

And about the software, i dont have anyone right now for this.

If you didn't understand, i can try to explain in other words

 

[Ralston18]

Your English is fine.

And I do (and others here as well) understand. Your situation is not at all uncommon or unique.

Classic "When you are up to your *** in alligators, it is difficult to remember that the original purpose was to drain the swamp."

Overall you are in tough situation and there are many, many questions that could be asked.

The root issue (and you just confirmed it) is under staffing. But I could very well list out a bunch of other issues and problems as can many others within the IT environment.

And pages upon pages of suggestion that you do not have the time to read....

Identify your top X number of problems. Make a prioritized list, note down solutions, and how you would implement those solutions. And, most importantly, how the company and employees (and even customers) will benefit.

Go to your manager and present the list. You need a champion to support you and fight the bureaucracy/bean counters.

So you can focus on the technical issues.

FYI:

https://www.amazon.com/Cybersecurity-Leadership-Powering-Modern-Organization/dp/1502312115

Get a copy and read the book.

And I realize I stated that you do not have time to read.

However, the book is brief and an easy read. Goes beyond Cybersecurity and into IT in general in many ways.

You will probably be able to put some of the author's thoughts and ideas into practice almost immediately.

 

[SetmeHeng]

Thanks for the nice reply.

But, if you would have the time to write a goddamn big book about problems that can be solved here, i, of course, would make a time to read it.
Any help that i receive, is one more thing that i can learn about and help other in the same occasion.

We already made some lists, but most of them are about new projects, instead making solutions about old problems. And most of our problems there are listed down, are waiting for our Datacenter Renovation.
So i'll try to make it better and safely after the upgrade.

I'll save up some money and gonna try this book.
Thanks for the advice.