Having LAN issues related to a new switch
-
You can still do that with DHCP and static reserved addresses in pfsense, really easy.
Jeff
-
Dhcp has zero to do with users coming and going..
Most of the time a device will always have the same IP even with dhcp, unless there are more devices than leases and you have device on and off all the time.
Once a device gets a IP via lease - he will continue to renew that IP.. He will even ask for it again when shut off.. The way the dhcpd works is even if that box has been off for really long time - he will still get that IP back because the dhcpd doesn't reuse that lease until he has ran out of other IPs and it has expired, etc..
And you can just always set a reservation for specific device mac address - no that device will always be that IP via dhcp.
The benefit of dhcp is now you can change all your devices to new IP range if so desired without having to actually touch them.. You could change the dns they point to, or the gateway or their domain they use for search suffix, the ntp server they point to, etc. etc.. All without actually having to go touch the physical device.
There is like zero reason not to use dhcp on your network.
-
@johnpoz said in Having LAN issues related to a new switch:
Dhcp has zero to do with users coming and going..
Most of the time a device will always have the same IP even with dhcp, unless there are more devices than leases and you have device on and off all the time.
Once a device gets a IP via lease - he will continue to renew that IP.. He will even ask for it again when shut off.. The way the dhcpd works is even if that box has been off for really long time - he will still get that IP back because the dhcpd doesn't reuse that lease until he has ran out of other IPs and it has expired, etc..
And you can just always set a reservation for specific device mac address - no that device will always be that IP via dhcp.
The benefit of dhcp is now you can change all your devices to new IP range if so desired without having to actually touch them.. You could change the dns they point to, or the gateway or their domain they use for search suffix, the ntp server they point to, etc. etc.. All without actually having to go touch the physical device.
There is like zero reason not to use dhcp on your network.
Thanks. So many differing opinions.......
why-is-dhcp-considered-insecure -
Just like any service it could be considered an attack vector... But for that to happen they have to be able to get on your network.. Is someone plugging in a device and running a dhcp starvation attack on your network... Ie using up all your dhcp leases so that clients can not get an IP? ;)
You need to understand the actual conversation at hand about "possible" risks of a service you are running on your network.. But for you take a blanket stand that service XYZ is insecure.. Without even understanding their conversation and homing in on the words insecure and dhcp is just nonsense..
None of those such concerns would come into play in some home setup with a 5 port switch like a DGS-1005G..
You know your car would be more secure (less likely to be stolen) if you drained all its gas when you parked it.. Do you do that?
-
@johnpoz said in Having LAN issues related to a new switch:
None of those such concerns would come into play in some home setup with a 5 port switch like a DGS-1005G..
Bingo.
Which is why it's just easier for me to use Static IP's in this situation ;-)If I have to go through the trouble to set up reservations, phooey. Just set them Static once and done.
How about we compare DHCP to the car KEYS? Would you leave those in your car?
edit: Why would I leave my car keys - they are always in my pocket... Leaving them in the car would be extra work. My point of the gas was that is an over the top step for little reward... Just like not running dhcp on your network..
You do understand that an attack that is on your network doesn't need to get an IP from dhcp to find out the IP range of the network... And its not rocket science to discover the gateway IP or the dns server, etc. just from being physically attached.. If your worried about such things then you run nac, and the device has to auth before it can do anything on the network, even get an dhcp address.
-
@HansSolo said in Having LAN issues related to a new switch:
Just set them Static once and done.
It takes 2 seconds to set up a reservation - way less time for you to setup a static that is for damn sure... Especially on non pc devices.. And as already stated - if you ever wont to change "anything" you now have to go touch each device.
Dude you do what you want - but lets be clear devices on the same network, pfsense has ZERO to do with their conversation.
-
Dude you do what you want - but lets be clear devices on the same network, pfsense has ZERO to do with their conversation.
Got it. thanks
As for the other points, your opinions are appreciated. it's just that I read opinions from other experts on StackExchange, ServerFault etc who's opinions may be different from yours.Don't get upset.
-
I am not upset.. I understand the statements of sure dhcpd is an attack vector.. Not using it to reduce that attack vector comes with its own cost - is that cost worth the removal of that specific attack vector..
Sorry but NO I am not going to only use static on my network to reduce the possibility of those attacks... Since they have no real possibility in the real world to be used on my network. And to be honest their other easier ways to mitigate that specific sort of attack anyway - if that was the concern..
All steps to "secure" something come with a cost, extra effort, loss of functionality or ease of use, etc. etc.. You need to weigh the actual "risk" of some attack vector with the cost of specific method of mitigation of said risk... Sorry but the risk of possible nefarious use of the dhcp protocol is not high enough to warrant not using it.
If you only have 2 devices on your network and you don't want to use dhcp - sure have fun with that. But I have 40+ devices on my network... And then device that come and go all the time that our outside my control... What going to show my guest that wants to use my wifi how to setup static IP and dns on their phone?
You try setting up a static on say a nest protect smoke alarm - it has no interface at all.. So how you going to do that? ;) Setting a static on my printer is running through click menus with arrow buttons and tiny lcd screen... To set numbers you have to click 1,2,3, etc.. Setting it via dhcp takes all of 2 seconds... It gets a lease - I see the lease on pfsense - click the static reservation button.. put in the IP there you go printer when it renews gets the new IP..
Cost of mitigation of risk vs level of risk always come into play.
-
@johnpoz said in Having LAN issues related to a new switch:
I am not upset.. I understand the statements of sure dhcpd is an attack vector.. Not using it to reduce that attack vector comes with its own cost - is that cost worth the removal of that specific attack vector..
Sorry but NO I am not going to only use static on my network to reduce the possibility of those attacks... Since they have no real possibility in the real world to be used on my network. And to be honest their other easier ways to mitigate that specific sort of attack anyway - if that was the concern..
All steps to "secure" something come with a cost, extra effort, loss of functionality ore ease of use, etc. etc.. You need to way the actual "risk" of some attack vector with the cost of specific method of mitigation of said risk... Sorry but the risk of possible nefarious use of the dhcp protocol is not high enough to warrant not using it.
If you only have 2 devices on your network and you don't want to use dhcp - sure have fun with that. But I have 40+ devices on my network... And then device that come and go all the time that our outside my control... What going to show my guest that wants to use my wifi how to setup static IP and dns on their phone?
You try setting up a static on say a nest protect smoke alarm - it has no interface at all.. So how you going to do that? ;) Setting a static on my printer is running through click menus with arrow buttons and tiny lcd screen... To set numbers you have to click 1,2,3, etc.. Setting it via dhcp takes all of 2 seconds... It gets a lease - I see the lease on pfsense - click the static reservation button.. put in the IP there you go printer when it renews gets the new IP..
Mitigation of risk vs level of risk always come into play.
I use Roost smoke alarms. They're on Wifi and work great. Cost a LOT less too
-
@HansSolo said in Having LAN issues related to a new switch:
Roost smoke alarms
Ok sure - great, how do you set those to use a static IP address.. Sure looks more painful that just setting a lease for it ;) if even possible..
My point was not the make or model of the device, but that some devices do not support static even.. Or no simple easy way to do it.. Also once you put any static devices on your network... To make any sort of simple change to your network - you have to touch each device..
Again cost of mitigation of risk.. Do you really think the "risk" of using dhcp on your network out weighs the benefits that it brings.. And the reason you don't run it is because of said "risk" ??
I can change my whole network over to different space with a few clicks in the pfsense web gui.. I can point specific clients to different dns, or even different gateway or hand them ntp server all from simple gui of pfsense without having to touch any devices specific... Nor do the devices even need to be on or connected to the network - next time they do connect they will get the new info, etc..
You don't run dhcp because your worried some one is going to connect to your network - and then use that to attack you.. Really?
-
@johnpoz said in Having LAN issues related to a new switch:
You don't run dhcp because your worried some one is going to connect to your network - and then use that to attack you.. Really?
No, that's not really why.
Cool. I'm learning a lot here. Your posts are very helpful. Keep up the good work Jon
On the smoke detectors, I don't communicate back to them....they just send the alert over wifi.
So they don't need static IP's. Just network access outbound. -
@HansSolo said in Having LAN issues related to a new switch:
So they don't need static IP's. Just network access outbound.
So you run dhcp for them..
So your at risk of dhcp attacks on this network.. ;) Since its so insecure..
I think there is lack of understanding of how dhcp works if you think a clients IP that is dhcp is going to be changing all the time.. Even if you don't set a reservation a client once it gets an IP will almost always keep that same IP..
So lets say you are using a /24 on your local network the default 192.168.1/24.. Lets say you limit the scope from the full .2 to .254 range to say .100 to .200 so you have 100 addresss to work with in your pool..
So client A connects and it gets .100, B comes on and gets .101... Lets say your lease is for 24 hours... So every 12 hours clients will ask hey can I renew this address .100 or .101 and the dhcp server will say sure its yours for another 24 hours..
Now lets say A gets turned off and 23 hours later C comes on the network - he will get .102, dhcpd is not going to hand out .100 to him because the lease to A is still active..
Lets say its 2 weeks later and A has been off this whole time, and now D comes online.. Does dhcpd give out .100?? No because he has plenty of never used IPs left in the pool so D gets .103..
So until such time that all the IPs have been given out to .200 no previous IPs will be handed out to "new" clients..
Now lets say dhcp has worked all they way through .200 handing out IPs.. And all the leases are used - now client ZZ connects and wants and IP.. Then sure it will look to its "expired" leases and say hey .100 expired long time ago.. he has not been back.. Here you can use .100
Now if .100 comes back after that and says hey can I get .100 - no you can not.. Here is another IP in the pool I can give you..
So even without setting reservations unless you have more clients than your scope, your dhcp clients will always get the IP they had from the first time they connected... Unless of course you clear the old leases out of the dhcpd, and or your client doesn't request his old IP back... But if the dhcpd still has his old expired lease there and even if the client doesn't request his old IP - the dhcpd should give him back his old IP since there is an old lease that had not been reused by some other client/mac.
You set a reservation in dhcpd for a specific mac - more so to set an IP outside of the scope that you know for a FACT will be that specific clients IP on that network.. And also now allow you to call out different things for that specific client that is different than your normal scopes options.
Even if you have more clients on your network than you have dhcp space for - they are always coming and going if you set the client to register his IP with your dns you don't have to worry if the clients IP is not static, you an always just query its name.
Setting static so you can use port forwards or what not - I think comes from people that do not understand how the protocol works or basing their advice on what they see from their ISP public IP where that might change every day when they use to dial up into aol or something.
Also setting a dhcp reservation removes the possibility of the dhcp server from handing out that IP to any other client that does not have the mac address.. Even if his pool is exhausted he will not hand out that IP to any other client.. So its the same as setting a static on the device - yet all the flexibility of dhcp.
-
I just read that article about DHCP risk. It strikes me as more along the lines of what you'd hear from those anti-vaxxers. Do you understand how DHCP actually works? Since it initially uses broadcasts, the attacker would have to be on the local LAN and, as mentioned in the article, that means you already have a bigger problem without worrying about DHCP. In short, if there's a risk with DHCP, it's because your security has already failed, allowing the attacker in
-
@johnpoz said in Having LAN issues related to a new switch:
Setting static so you can use port forwards or what not - I think comes from people that do not understand...
@johnpoz - Will you please clarify, in your post, setting static where? On the firewall (pfsense), or on the client/host?
Jeff
-
Setting static anywhere... Unless your ISP is doing something really wonky, even dhcp from your ISP would stay the same.. And even if that doesn't - that is the whole point of dynamic dns.
My comment was made towards the OP comment that he has need to get to his devices, etc.. so he sets a "static" ip on them.. This is lack of understanding of how dhcp actually works is all.
Unless your connecting to some public network like at starbucks or something where there are hundreds or even 1000's of more devices using the network than what the dhcp scope is setup - unless your client actually relinquishes the lease or is offline for extended period.. Typically the client will maintain the same IP they have always gotten..
In a home setup with a handful of devices and a /24 scope.. Its almost impossible that a dhcp client would get a different IP then the first one it gets when first joining the network.. Unless old leases are removed from the dhcpd, and or dhcp server changes, etc. etc..
btw for clarity if I say set a static - I mean on the device, if done with dhcp then to me that is a "reservation" - this term static dhcp is an oxymoron...