Static IP vs DHCP
-
If you have windows domain running dhcp server - why would you enable the dhcp server on pfsense? You should only have 1 dhcp on a network - PERIOD!! Conversation over!! Turn 1 of them off - if your running AD, then it makes sense to let windows do it. If your not running AD, then just let pfsense do it.
There can be only 1!! Though..
-
I think we all know that you should have only one dhcp server.
The question is dhcp vs static for a small network. Advantages of static over dhcp for security, etc. For example, http://security.stackexchange.com/questions/1925/dhcp-vs-static-ip-addressing
Different topic altogether. ;)
-
There is NO advantage to static - its a PITA.. Why would you not just run dhcp? If you want your boxes to always have the same IP then then set reservation.
You are not making it clear what your freaking question is from comments like this.
"I did not know how/if pfSense defers to Windows for assigning IP's."Seemed to me you are running 2 from a statement like that. Why would you be worried about security on a small private network with 7 devices on it? If you worried about someone plugging into your network - not having dhcp is not going to stop them. Now the use of port security, disable unused ports on your switch (switch in controlled area) use of NAC or NAP, etc. would be security features - not a static network.. Now if you have nothing to run a dhcp server then sure ok static works. But if you have a dhcp server available and you don't use it for security reasons you have your tinfoil hat on way to freaking tight ;)
-
Yes, I know about closing ports for port security.
There is NO advantage to static
On large networks everyone knows that. But mine is very small.
It would seem that you could answer a simple question without ad hominem attacks. If you don't know the answer, well then man up and just say I don't know. I will never fault you for not knowing. You are only human after all. :)
But let's not make ourselves a walking cliche by talking about tin-foil hats. That is a bit silly, don't you agree?
Not to worry, my friend. I can read on my own and will talk to my Cisco instructor, who set up our lab with static IP's. Kinda foolish of him, I guess. ;)
-
How much clear can I be - there is NO advantage to static be it you have 1 device or 1000.. Other than if you only have a couple of devices and don't have a dhcp server available then using static would allow you to talk to your devices. Or for that matter you could just let them use APIPA and use those ;)
Sorry but if you think static IPs are a security method then your tinfoil hat is indeed on too tight ;)
-
Thank you for your reply and please forgive my tendency to be heretical but that tendency to question has served me quite well in life.
After further reading, it appears that dynamic IP's might actually serve to prevent spoofing in that the IP's of each computer would be completely unpredictable. More simply put, if there is a security component, and yes I think for security everything should be examined, then DHCP would actually tend to be more secure.
Thanks for your help! :)
-
I would not really agree that dhcp clients Ips would be completely unpredictable. Once a client gets an IP - it would tend to use that IP forever, as long as it can renew. That ip might change is if its offline for longer time than the lease and the dhcp server then reassigned the IP to another device.
Dhcp client normally renew at 50% of the lease time, so unless the client is off for longer than say 50% of the lease time and it was before its renew when it went offline its unlikely that it would not just keep renewing the same IP. Even if the client has been off the network for longer than the lease - many clients would still request its old IP - and only if the dhcp server had reissued it would it not give that same IP to the original lease holder if requested.
Comes down to your lease time and how long devices leave the network for. In the case of say a server type device that is on 24/7/365 it should always have the same IP. You might even set a reservation so that you don't hand that IP to other devices even if the client is offline for longer than the lease because say you forward traffic to that box and want to make sure it has the same IP, etc.
Where you normally see static is on server/printer/network equipment/etc that is normally on all the time. Unless you plan on changing information that is handed out via dhcp - say the gateway, say the ntp server or other info you can hand out via dhcp if that device is "static" type device you might set it on the device directly and maintain your dhcp scope for more dynamic devices.
This is not really an advantage - but might be something the admin does just for administrative reasons. You also have things where they are not good dhcp client devices. For example your dhcp server highly unlikely it could be a dhcp cient itself :) Your most likely not going to want your AD DC to be a dhcp client, or your Router lan interface ;)
In most every network your going to see a mix of static and dhcp. The less static the better from a administrative point of view - static like on a printer normally has to be done using a limited input method on the printer itself for example. I would much rather just let it pick one from a pool and use name resolution to access it, or setup a reservation in in my dhcp server vs using a limited input method.
-
I agree with most of what Jon said.
I use a combination of static and DHCP in most networks I'm allowed to play with. Mostly I use a combination of static and dynamic DHCP leases but some devices just behave better with hard coded IPs.The advantage of running static IP is that device will continue to fucntion in the event that the DHCP server becomes unavailable for whatever reason. For example a switch or a wireless access point can still be reconfigured even if the router/dhcp server is firewalled off. I have seen devices that refuse to allow access to the management interface from outside their own subnet. I have to connect to them directly with my laptop to configure them and having static IPs already set makes that much easier.
Using pfSense for DHCP allows IPs to be resolved to DHCP leases which can make reading the firewall logs much easier. I'm not sure if you can configure pfSense to run reverse DNS against an AD server, I've never tried.
Steve
-
"The advantage of running static IP is that device will continue to fucntion in the event that the DHCP server becomes unavailable for whatever reason"
Valid point to be sure - but unless you had a very short lease time, your devices should continue to function for days. Lets call it a 4 day lease - worse case a box just before renew (2 days) the dhcp takes a dump. That device should function unless rebooted for at min 2 days. I would hope you have your dhcp server online again within that time frame ;)
Not sure if would consider that an "advantage" but sure its a feature of using static that could be useful on loss of dhcp server. Normally your dhcp server would be run on a production system like your router (pfsense or soho) Or your AD servers normally DC in for sure in a smb setup. If those took a dump your going to have more issues on your hand non related to the actual dhcp service ;) If an enterprise setup you would normally have dhcp failover setup, and worse case bringing up a dhcp server in case of loss of primary or backup is trivial task if you ask me.
-
To be clear that's the only advantage I can think of. ;)
I'm talking about small SOHO networks here also. I've been in situations where, following a power outage or equipment failure, I'm unable to access a device that would have been trivial had it had a fixed IP written on the outside of the device.
I would always avoid fixed IPs for most devices though.Steve
-
I've been in situations where, following a power outage or equipment failure, I'm unable to access a device that would have been trivial had it had a fixed IP written on the outside of the device.
I would always avoid fixed IPs for most devices though.When I hit that situation, I enable DHCP in pfSense (opening up a single DHCP pool) and let the device connect and find the DHCP address from there. Then disable DHCP once I get everything back to normal.
I also like to set Servers and other Core devices to Static to avoid those types of Issues. A little more work but helps on hairy days!
