Can you run DHCP, DNS and NTP on different VIPs?



  • We would like to replace multiple old infrastructure systems - specifically those providing DHCP, DNS, and NTP - with pfSense. We have two of each system/service running on dedicated VMs (so six machines total). The goal would be to replace the six with two pfSense boxes, each running the three services.

    My question is how to work around a few limitations: We would strongly prefer to keep the same IPs as the existing servers - there is no telling where DNS and NTP settings are hard-coded and we would rather not wait for something to fail to become aware and reconfigure. Unfortunately all of the existing systems are on the same subnet so I cannot just create different interfaces (at least I don’t think you can have multiple interfaces on the same subnet . . .).

    I know we can add VIPs for the various existing server addresses but is it possible to have service-related traffic for DHCP, DNS, and NTP go to a virtual IP? If so, how/where do I configure that?

    Also since these boxes won’t really be routing any traffic (I’m assuming everything will be done through the LAN interface and VIPs) what should I do about a LAN port? I recall seeing that you need one configured in most instances . . .

    Thanks in advance for any advice!


  • Netgate Administrator

    @jpod2019 said in Can you run DHCP, DNS and NTP on different VIPs?:

    (I’m assuming everything will be done through the LAN interface and VIPs)

    I'm assuming you mean WAN there. 😉
    You can have a single interface and it will be WAN and that's fine. The anti-lockout rule will be applied there instead of LAN in that case.

    If you add a VIP on the WAN all services will listen on it by default so you can add VIPs for NTP and DNS and it will work. DHCP will only run on the interface address though.
    By default DHCP wil hand out it's own IP for NTP and DNS so you would need to make sure you set those values in the DHCP setup. Though it would still work fine for anything using DHCP since those services would also be listening on the interface IP.

    Steve


Log in to reply