PfSense as sole DHCP Server?
-
Note: I provided as much detail as I thought might be helpful. Please excuse if the detail is excessive.
With all these devices - Comcast DOCSIS 3.0 "business-class"modem, pfSense network appliance, Cisco SG-300 Layer 3 Switch, multiple computers running Win7 64 bit as well as Linux Ubuntu - I know I have DHCP assignment conflicts and hence delays in my network coming up. I know that because if I cut out all the intermediary devices and go straight through (insecure, I know) from the DOCSIS cable modem to a Win 7 computer, the network pops up quickly - without all the stumbling and error messages.
My immediate problems:
-
Should I just "turn off" the DHCP assignment capabilities of everything except my pfSense device and let it act as a DHCP server for the switch and all end devices?
-
Should I Set Static IP's for the server (file storage only, not true file server) and the printer, and then set a limited range for leased IP addresses?
-
Since I have less than 10 end devices, would I be foolish to just assign all static IP's in the pfSense device and allow it to control the entire network? Seems like that would be highly inefficient but potentially insecure and hence vulnerable to intrusion by bad guys outside the LAN.
Any suggestions for "optimal setup"?
…............
I'll add to this:
-
Should we not turn over all services to pfSense?
-
We all know pfSense handles NAT. So why not DHCP and DNS. Doing so should remove all the conflicts and device incompatibility, specifically Linux BIND and MS DNS.
-
-
More than one DHCP server on your network is a no-no if they're not teamed in a redundant/failover fashion.
I use pfSense for DHCP duties. I usually set the dynamic pool range to something like .17-.254, .33-.254, or .65-.254.
I hard-set things like switches and WAPs in the low portion outside the dynamic pool.
For things like printers and phones I set them to DHCP but use the DHCP static mappings to set them in the low portion outside of the dynamic pool.
I really don't know how you think DHCP makes anything insecure. Anyone can hard-set any static IP on any device at any time.
-
I really don't know how you think DHCP makes anything insecure.
If you will kindly read my post, that is the exact opposite of what I said.
Prevailing wisdom is that static IP's are less secure than dynamic.
More than one DHCP server on your network is a no-no if they're not teamed in a redundant/failover fashion.
I would very much be interested in a clarification of that point. As things are now, it seems that several devices are battling in my network to be the primary DHCP server. That's one thing I wish to avoid of course.
-
I really don't know how you think DHCP makes anything insecure.
If you will kindly read my post, that is the exact opposite of what I said.
Actually I read it like three times and couldn't figure out what you were saying.
Prevailing wisdom is that static IP's are less secure than dynamic.
Huh? By whom?
More than one DHCP server on your network is a no-no if they're not teamed in a redundant/failover fashion.
I would very much be interested in a clarification of that point. As things are now, it seems that several devices are battling in my network to be the primary DHCP server. That's one thing I wish to avoid of course.
Exactly. Choose the one that you want to use and turn all the other ones off. More than one DHCP server per segment is almost never what you want.
-
assign all static IP's in the pfSense device and allow it to control the entire network? Seems like that would be highly inefficient but potentially insecure and hence vulnerable to intrusion by bad guys outside the LAN.
My apologies for such embedded sentence structure. I did not realize it would be confusing.
allow it
it= the pfSense device
Seems like that would be highly inefficient but potentially insecure
Please excuse the typo: "inefficient" which should have been "efficient", efficient at least in the network's ability to locate devices more quickly (if static ip's are set, well then the network does not need to source an IP via DHCP which as you know is a 3-step process).
As for whether or not Static is less secure than Dynamic, let's leave that topic for another time. Basically there are arguments for and and against.
Just right now would it not be wise to keep the NAT, DNS and DHCP (with reserved statics) all on the pfSense device?
I think that is the more meaningful question, and one from which many can benefit.
-
Sure. That's what I do. But your problems are not stemming from which DHCP server you're using. It's that you have more than one on your segment.
-
It's that you have more than one on your segment.
You are 100% correct. I would agree.
My next question would then be: Since I have both Linux and Windows computers on my network, shouldn't I just turn over all this DHCP (with some reserved statics) to pfSense instead of having pfSense, Windows and Linux all battling for control.
NAT, DHCP and DNS all on the same pfSense box?
Btw, Derelict, thanks for your patience. I have a Cisco test on Wednesday, trying to get some work done here and a ton of other things interfering, so my question may have been poorly stated. You are indeed very kind to have hung with me throughout! :)
-
Dude. You can use whatever DHCP server that meets your needs. But just use one.
-
just use one.
Actually, I think we all know that.
My question is not that. My question is, since I have such a mix of devices on my network, many of which can function as DHCP servers, would it not make sense to centralize/consolidate everything on the pfSense device. When I say "everything", I am of course referring to: 1) NAT 2) DHCP 3) DNS.
Right now, I know I can shut off and will shut off all DHCP capabilities on the DOCSIS modem and the SG-300 Cisco Layer 3 switch. What I have left for DHCP server choices are 1) pfSense device 2) Linux computer 3) Win 7 computers
Now I know DHCP server conflicts can be a problem because they are discussed extensively on other networking forums.
My sensible conclusion is to consolidate everything on the pfSense device since it is (absent the DOCSIS modem and the Layer 3 Switch) first in line - before the Ubuntu Linux and Win 7 computers enter the fray.
Although my question is getting a lot of views, I don't think anyone really understands the problem.
So "there should be only one DHCP server" is not a solution. It is a given. We all know that. The real question is which device should handle NAT, DHCP and DNS.
-
Whichever you want. I don't know what you're looking for. Someone to tell you how to design your network?
I already said I use pfSense for all that.
-
Someone to tell you how to design your network?
Oh my, yes. Please come hold my hand. ;)
Seriously, right now I am just too busy studying for my Cisco CCNA exam and don't really have the time to devote to pfSense. My apologies accordingly.
What I wanted was a centralized resource for NAT, DHCP and DNS (preferably dynamic). I see from a casual read of other threads that others are quite interested in doing the same thing as I; and the information on those related threads has been most helpful.
Just for the record, configuring DNS on pfSense does require some thought. And, as we all know, DNS and DHCP should/must reside on the same device.
Let's now close this thread because I believe it to be redundant. Thanks to all!
-
Right now, I know I can shut off and will shut off all DHCP capabilities on the DOCSIS modem and the SG-300 Cisco Layer 3 switch.
If I'm not mistaken, the pfsense box is between the modem and the switch, so unless I'm mistaken that is two separate network segments, each of which may have either 0 or 1 DHCP server (depending on whether you want static addressing or not). The modem is likely to have a DHCP server running by default so you can just leave that alone; the pfsense console will tell you whether the WAN was assigned an address using DHCP or not. Then on the LAN segment you again have the choice of running the DHCP server or not, and yes, it seems to make sense for pfsense to do it. Finally, are there different network segments on both sides of the switch, too? Then you will need a DHCP server there too, on the downstream side.
For small networks without a lot of activity connecting and disconnecting machines, I like static addressing if only to make it easier to understand what is going on in the logs.
-
The DHCP server in pfSense is perfectly capable of handing out leases to thousands of devices at a time. Like multiple /19 pools.
I really don't know what OP's point was. Neither does he as he's made it plain he's too busy studying for his CCNA to worry about details like basic network design.
-
I think pfsense works great as the sole DHCP server. Never an issue.
-
I think pfsense works great as the sole DHCP server.
I think you are correct; and that's actually the confirmation of my thinking I was hoping for.
What I believe from the error/information messages I see upon pfSense bootup is that quite possibly the DOCSIS 3.0 (SMCD3G-BIZ) cable modem, the SG-300 Layer 3 capable switch, and the end devices are all competing for DHCP responsibilities.
My question, hoping to clear up Derelict's ongoing confusion here, is whether or not to centralize everything on the pfSense device, specifically firewall, NAT, DHCP and DNS. The reason for doing so makes good sense logically and I thank you folks for confirming my thoughts. I will therefore turn off/shut down these services on all other devices in the mix.
-
Yes - I think thats a good decision. Pfsense is pretty decent one stop shopping for those things. No need to complicate the mix.
-
Thanks, Kejianshi, for your kindness and the benefit of your experience.
All I have right now is a totally unconfigured network:
DOCSIS 3.0 Cable Modem –> pfSense --> Cisco Layer 3 switch --> file server, 6 Win7 computers, 1 Ubuntu Linux computer, Canon laser printer + will add Wifi later on (possibly) for the laptop.
Again, Much Appreciate. :)
-
Are you operating the switch as layer 2 or layer 3? Calling it a layer 3 switch implies you'll be routing with it.
-
Dammit. This is 2 times now I have posted a reply only to be told I do not have access - and then the reply is erased. Ugh!
–-----------
@DerelictActually I call it a Layer 3 switch because it is a Layer 3, some say "Managed", switch with Layer 3 routing capability - excellent for VLAN's. I purchased it way before I knew anything about pfSense. Given what I know now, I probably would have turned everything over to psSense. May sell the Cisco SG-300 switch as a result.
To answer your question, though, I am just using it unconfigured out of the box - hence a single big ole VLAN.
Btw, when I said I was studying Cisco, please don't misunderstand that I actually like Cisco. Quite to the contrary, I find Cisco to be unduly complicated, with too many "yeh buts" and "one more things". I always say that mastering Cisco is like a scuba diver trying to touch bottom in the Marianas Trench.
The only reason I study Cisco is the classes at the local JC are exceedingly well taught and give me a very clear understanding of what really happens in a network, large or small. Cisco's books and tests are pretty awful, especially the Cisco tests which are a bunch of convoluted crap. The only thing they test is your ability to untangle their tangled English.
Also, I think Cisco's IOS is a security sieve. So all in all, given the simplicity and cost-effectiveness of pfSense, I think this project has a bright future especially in small to medium sized business and other organizations. Priced a Cisco router recently?
Btw, thanks Derelict for all your poignant observations, which help me to clarify my goals and motivate me to learn more. ;D
-
Note: I provided as much detail as I thought might be helpful. Please excuse if the detail is excessive.
With all these devices - Comcast DOCSIS 3.0 "business-class"modem, pfSense network appliance, Cisco SG-300 Layer 3 Switch, multiple computers running Win7 64 bit as well as Linux Ubuntu - I know I have DHCP assignment conflicts and hence delays in my network coming up. I know that because if I cut out all the intermediary devices and go straight through (insecure, I know) from the DOCSIS cable modem to a Win 7 computer, the network pops up quickly - without all the stumbling and error messages.
Your issues most likely has nothing to do with pfSense, Windows server, Linux devices, or DHCP on your Comcast modem but basic configuration of your Cisco switch. Try looking up spanning tree portfast the next time you're "studying" for your Cisco exam.