Multiple DHCP subnet on one LAN interface

sifti85

Hello,
We have an old firewall (Zeroshell) in our institution that I would like to replace with pfSense. We have VOIP devices that only work on a separate subnet. These devices cannot be set to static IP in their settings because they automatically reset to DHCP. Currently this is what the configuration looks like in Zeroshell:

ETH00 interface:
SUBNET A: 192.168.64.0/24 (all devices other than VOIP) gateway: 192.168.64.50 (firewall), some static IP-s, DHCP from 192.168.64.150-192.168.64.253
SUBNET B: 192.168.1.0/24 (VOIP), all ip addresses are static, gateway: 192.168.1.1 (soho router, that NAT x.x.x.x public ip,DHCP off), on firewall DCHP on but range is empty, only allocates ip addresses to static ip addresses. here firewall ip is 192.168.1.50

ETH01 interface:
WAN interface with public IP x.x.x.y

ETH02 interface:
BACKUP WAN interface with public IP z.z.z.z

In pfSense, how can I configure the 2 subnets above? Unfortunately, VLAN is not a solution because many unmanaged switches in our environment do not support it.
I thought about adding another network interface to the server, but if I enable DHCP an address pool is mandatory. And I only want to assign addresses to voip devices configured with a static ip address.
Another option is i guess, is turn DHCP on the soho router, and there is an option strict Bind IP to MAC (If you select Strict Bind, unspecified LAN clients cannot access the Internet.)
and exclude voip devices from pfsense dhcp somehow based on mac.
soho router.PNG
What do you think?

Gertjan

@sifti85 said in Multiple DHCP subnet on one LAN interface:

In pfSense, how can I configure the 2 subnets above?

You can't.
If an interface uses, for example, 192.168.64.0/24 then you can't add a second pool using 192.168.1.0/24
After all, if a DCHP request comes in, using a a MAC non present in the Static IP Entries" table, what will be de lease ? 192.168.64.x or 192.68.1.y ?
I'd love to be wrong of course, but never such a setup.

Setting up the interface as a 192.168.0.1/17 (make it /16 ^^) will allow you to make pools like 192.168.1.a->b and 192.168.64.c->d

edit : your image makes me think there are two (DHCP) server bound to an (one and the same) interface. That's a big nono.

sifti85

@Gertjan said in Multiple DHCP subnet on one LAN interface:

After all, if a DCHP request comes in, using a a MAC non present in the Static IP Entries" table, what will be de lease ? 192.168.64.x or 192.68.1.y ?
I'd love to be wrong of course, but never such a setup.

192.168.1.0/24 have no address pool, so of course 192.168.64.0/24

sifti85

@Gertjan said in Multiple DHCP subnet on one LAN interface:

edit : your image makes me think there are two (DHCP) server bound to an (one and the same) interface. That's a big nono.

Yes and it works since 5 years.

JKnott

@sifti85

Use VLANs. That's the normal way to have VoIP and regular stuff on the same LAN.

JKnott

@Gertjan said in Multiple DHCP subnet on one LAN interface:

edit : your image makes me think there are two (DHCP) server bound to an (one and the same) interface. That's a big nono.

Actually, DHCP supports that. When a device makes a DHCP request, it goes with the first server to respond. These days, Duplicate Address Detection (DAD) is used to ensure the same address isn't handed out to more than one device, but you might want to create separate address pools, within the subnet, for the different DHCP servers, just in case.

Gertjan

@sifti85

Hummm.
So just one pool in the 192.168.64.0/24 range,
In that case, create a 192.168.0.1 whatever/16 interface IP on LAN;
On the DHCP server page, add the 64.150->64.253 pool,
Add your static DHCP MACs, the ones from 192.168.1.x and 192.168.68.y range.
This might, no ! => should work.
Use the ISC DHCP server if you use pfSense 2.7.2.

@JKnott : ok for multiple DHCP servers.
Also more then one pfSense DHCP servers running on the same interface ?

Uglybrian

What are you thinking in terms of PF Sense? Are you going to buy an appliance or try the community version? How big is your network,did you post the majority of it or is there alot behind that.

sifti85

@JKnott said in Multiple DHCP subnet on one LAN interface:

Use VLANs. That's the normal way to have VoIP and regular stuff on the same LAN.

Unfortunately, VLAN is not a solution because many unmanaged switches in our environment do not support it.

sifti85

@Gertjan said in Multiple DHCP subnet on one LAN interface:

In that case, create a 192.168.0.1 whatever/16 interface IP on LAN;

yes, but that would put them on the same subnet in practice. they could communicate with each other.

sifti85

@Uglybrian said in Multiple DHCP subnet on one LAN interface:

What are you thinking in terms of PF Sense? Are you going to buy an appliance or try the community version? How big is your network,did you post the majority of it or is there alot behind that.

Reply

Community version only, Our network is small:
50 PC
10 VOIP DEVICE
2 proxmox server(1 backup)
11 IP CAMERA
1 NVR
5 Printer
7 switch
8 AP
8 router
max 10-20 wireless device at the same time.

johnpoz

@sifti85 just by some smart switches so you can use vlans like any normal person.

You have 8 APs - but only 10 or 20 wireless on at any given time?

You may well be able to continue to leverage your dumb switches downstream of a smart one, when all the devices on a switch are in the same vlan.

So in theory depending on your layout and connections you might be going through all this nonsense when a $20-40 smart switch could remove the nonsense of running multiple layer 3 on the same layer 2. Or maybe a couple of them?

Can you draw out your network showing where your switches are, and what devices are where.

8 router

That insane no small network like that would have need of 8 routers.. Are you calling your routers AP? And doubling the count?

sifti85

@johnpoz

@johnpoz said in Multiple DHCP subnet on one LAN interface:

hat insane no small network like that would have need of 8 routers.. Are you calling your routers AP? And doubling the count?

ye routers function as an AP. and mostly several computers and printers are plugged into them.

johnpoz

@sifti85 so you have 8 APs then.. If they are not doing the router function of your typical soho wifi router, then they are just APs

Nothing wrong with doing that if that is what you have to work with.. If they are running 3rd party firmware like dd-wrt or openwrt they may very well support vlans and you might be able to just leverage them as your smart switches to allow for vlans on your network.

A diagram showing how everything is connected and what devices are on what L3 ip space.. It may be possible to segment your network correctly without having to purchase anything.

But again you do not need some Cisco enterprise $$$ switches do vlans - there are plenty of 20 to 40 dollar switches on the market that understand vlans.

sifti85

@johnpoz said in Multiple DHCP subnet on one LAN interface:

A diagram showing how everything is connected and what devices are on what L3 ip space.. It may be possible to segment your network correctly without having to purchase anything.

Tomorrow i will do it.

sifti85

with zeroshell firewall I can create as many subnets on the native VLAN as I want :D how is this possible?

johnpoz

@sifti85 you can do whatever you want - don't make it right, running multiple layer 3 Ip ranges on the same layer 2 is just nonsense.