VERY N00b Questions on Setup
-
Maybe the confusion was regarding configuring static DHCP leases vs. static IP address at the each client or server.
More like WAN vs LAN, but I'm not even sure. To be honest, I'm even more confused now. =) I'll try to explain below the way I understand things, so please correct as required.
The WAN is where the Internet comes in. In my particular case, with my current ISP, the connection type is DHCP, which means my ISP will assign me (or, to be more specific, my "entry point", which I suppose is the modem) an IP address, dynamically.
Now - and here's the key part, I believe - this particular address has NOTHING to do with the addresses behind that entry point. Those addresses are my own network, and I can do whatever I please with those. If I check to see my public IP address, it's totally different than the routine 192.168.0.xxx scheme I have internally.
Am I correct so far?
If so, my understanding is that, with my current ISP, when setting up pfSense, I'd set WAN to DHCP, and LAN to static, so pfSense can act as the gateway for all the other machines on the network. I'd set the static according to the numbering scheme selected, reserve a block for static IP's, reserve another for dynamic addresses (I can set both of those in pfSense, right?), and off I go.
That's my understanding, and that's why Mr. Jingles' comments still don't make sense to me - sorry. =) (Not trying to be rude, or to sound ungrateful! Quite the opposite.) That being said, I totally understand the logic behind getting every hardware box a static IP address, and I'll probably do that too once I get everything up and running.
Thanks again in advance!
-
If I may jump in…..
The WAN is where the Internet comes in. In my particular case, with my current ISP, the connection type is DHCP, which means my ISP will assign me (or, to be more specific, my "entry point", which I suppose is the modem) an IP address, dynamically.
Now - and here's the key part, I believe - this particular address has NOTHING to do with the addresses behind that entry point. Those addresses are my own network, and I can do whatever I please with those. If I check to see my public IP address, it's totally different than the routine 192.168.0.xxx scheme I have internally.
Am I correct so far?
Bang on! The only addition I would make is to avoid 192.168.0.x, 192.168.1.x, and 10.0.0.x as your internal address ranges. But only because those particular ranges are already used by so many other off the shelf devices (routers, AP's etc.) that future VPN and interconnect scenarios can be more difficult than necessary if your internal LAN addresses happen to overlap one of these other devices.
If so, my understanding is that, with my current ISP, when setting up pfSense, I'd set WAN to DHCP, and LAN to static, so pfSense can act as the gateway for all the other machines on the network. I'd set the static according to the numbering scheme selected, reserve a block for static IP's, reserve another for dynamic addresses (I can set both of those in pfSense, right?), and off I go.
Again, dead on the money. The confusion (I'm guessing here) in the previous posts has more to do with which "DHCP" the various author's are referring to.
There's DHCP as it refers to the WAN interface which (as you described) is presented to your WAN interface by your ISP. Thus the WAN interface type is DHCP.
Then there's DHCP as it refers to the LAN interface which (again you described it well) is a service made available by your LAN interface. Your LAN interface NIC is actually (typically) a Static address within the subnet of that DHCP service so the LAN interface type is static. It becomes your responsibility to manage the DHCP server on your internal LAN subnet.
The confusion arises when we (I do it myself too…..) simply say "DHCP" or "Static address" or "Dynamic address" without enough context to be clear about what were describing.
BTW the comment about managing towards static addresses on your internal LAN is one of my best practices as well, for others - YMMV....
If that helps, glad I could.
If it doesn't feel free to ignore me ;) -
If that helps, glad I could.
If it doesn't feel free to ignore me ;)Not at all, good Sir! Very helpful indeed, quite grateful here. I guess I hadn't factored into my equation (that is, the one that attempts to figure out where the confusion arose in this thread!) that the LAN interface (or, more accurately, the pfSense machine itself, but we understand each other) is ALSO a DHCP server - to all the other machines on the network, that is.
But, OK, I'm now at the point where I have sufficient trust in my knowledge and understanding. =)
-
But, OK, I'm now at the point where I have sufficient trust in my knowledge and understanding. =)
Excellent, that's invariably the point at which I make my best mistakes - but learn the most ;)
Just kidding (except about learning)…
Welcome to pfSense, it's still one of the best open source tools I've found and has a community to match.
-
- seems rather sane … just remember to turn off dhcp on the 'isp-supplied-router' once you start using it as accesspoint.
So I've been thinking about this - why would I want to do that? (Not questioning, just inquiring, btw.) Wouldn't I want the wireless AP to hand out DHCP addresses to new wireless clients? Or would the pfSense machine still be the one to do that even through wireless?
-
Actually, disregard the above - found the answer with a bit of searching. For anybody happening on this thread via search in the future, here's an answer by phil.davis to another series of questions in the past. For reference, the "it" in the first sentence refers to a consumer router/AP :
Normally you just ignore the fact that it has a WAN port - put tape over it. Plug one of the LAN ports into your LAN switch. Switch off DHCP on the "WiFi router". Just have it offering WiFi, the DHCP will come from pfSense, through the LAN switch, through the WiFi device and delivered to WiFi clients.
So there it is, pfSense will indeed offer DHCP to WiFi clients. Which is why DHCP needs to be turned off on the AP.
-
If the AP WLAN is part of the same routed subnet then pfSense DHCP server will handle that. Turn off the AP DHCP server to avoid some clients getting possibly getting same address as another from pfSense DHCP. For simple straight forward home set up you are probably implementing only one DHCP server should be handing out addresses.
If AP WLAN is going to be its own routed subnet then leave it's DHCP server on.
-
Sorry, I did indeed intend (but nevertheless should have specified) for all WiFi clients to be on the same subnet as the pfSense DHCP server. In other word, everything in one subnet.
-
Sorry, I did indeed intend (but nevertheless should have specified) for all WiFi clients to be on the same subnet as the pfSense DHCP server. In other word, everything in one subnet.
Pretty much what I figured. So definitely only have one active DHCP server. Otherwise clients could end up with the same IP address if more than one DHCP server is assigning addresses in the same range.
-
I have a friend who runs an ISP. He provides Internet to a condo building in Downtown Atlanta somewhere. One of the issues he has run it to (and since solved) is end users plugging in their consumer router/firewalls "backwards" with the LAN side connected to the WAN. The built-in, on by default, DHCP server on these devices would take down the whole building.
So, to make a point…yes you only want one DHCP server enabled or your network will not work right, at all. Basically you'll DOS yourself.
Modern switch software allows you to lock down which port DHCP requests can be replied from to guard against this kind of problem.