PfSense running as DHCP server only

rklopoto · Dec 5, 2007, 8:00 PM

Hi All,

This may sound like a strange question, but I'd love to know the answer.

I am a big fan of the pfSense software because it allows me to use an open-source firewall product, while still allowing others who are less technical here in my dept access to the web-gui. I am using two boxes currently as firewall/NAT/DHCP with good results. These successes now have me thinking.

I have one segment of the LAN which just needs a DHCP server, since it already has a Checkpoint Firewall. I currently have a basic FreeBSD box with ISC-DHCPD installed on it doing the DHCPD. I get a lot of complaints since the only way to manage it is through an SSH window. Rather than build a web interface for it, and other BSD instructions, I was thinking of using a pfSense box to do it. This would be beneficial because these people already are familiar with the pfSense interface, and staying consistent helps me sleep at night.

Can anyone see any drawbacks of only having a LAN interface defined in pfSense with a DHCP scope/reservations? I have one configured, and it seems to work OK, but it hasn't been inline for a long time yet. I have the scope pointing to a different gateway and DNS servers other than the local ones. The only thing I can think of is that the NTP on it won't work. Anything else?

Thanks

sullrich · Dec 5, 2007, 11:09 PM

pfSense will not work with one interface and will refuse to install.

cmb · Dec 6, 2007, 12:00 AM

You can use one NIC with a fake VLAN, or use two NICs and leave one unplugged when it's in production.

Problem might be you'll likely need a default gateway, you can only enter that on the WAN interface, but you can't serve DHCP on the WAN.

rklopoto · Dec 6, 2007, 1:18 AM

@cmb:

You can use one NIC with a fake VLAN, or use two NICs and leave one unplugged when it's in production.

Problem might be you'll likely need a default gateway, you can only enter that on the WAN interface, but you can't serve DHCP on the WAN.

Good points. I have it installed with 2 cards in the machine. I set the LAN IP and left the WAN blank. The default gateway is only a slight problem, since I don't need this machine to traverse any routers. If someone wants to get to the mgmt interface, they have to be on that network, which to me is a plus.

Thanks for the input, I just wanted to make sure that the machine didn't rely on an internet connection to continue to function. Like I said, I have one running, and things look OK, but I don't want to find any gotchas 3 months down the road.

dotdash · Dec 6, 2007, 3:27 PM

Why not just install webmin (http://www.webmin.com/) on the existing box?
Basically, just download it, untar it into /usr/local/ or somesuch, then run setup.sh from the webmin directory…
I love pfSense, but for a straight DHCP server, Webmin has more flexibility.

rklopoto · Dec 6, 2007, 9:44 PM

I've used the webmin before, and I think it's a great product. Unfortunately, what I am trying to do is make these 4 boxes that I have consistent with each other, so that I only have to train people on one interface. Since I have 2 pfSense boxes already, this is the way for me to go. I think it's great that these boxes are this flexible.

Fortunately I don't need an elaborate DHCP server, just the basics + reservations and lease viewing.

What I did for this particular box is install pfSense onto it with 2 NICs installed. Once the install was done, I configured the LAN interface with the LAN IP, and in the WAN, I put 0.0.0.0 as the IP, and for the gateway, I put the IP of the LAN gateway. This changes the routing table so that the machine can get to the internet for NTP, etc… I'm actually kinda psyched that it works this way! The LAN interface just sits there with nothing plugged into it.

cmb · Dec 7, 2007, 6:18 AM

@rklopoto:

What I did for this particular box is install pfSense onto it with 2 NICs installed. Once the install was done, I configured the LAN interface with the LAN IP, and in the WAN, I put 0.0.0.0 as the IP, and for the gateway, I put the IP of the LAN gateway. This changes the routing table so that the machine can get to the internet for NTP, etc… I'm actually kinda psyched that it works this way! The LAN interface just sits there with nothing plugged into it.

Hah, that's cool! Nice hack. ;D I assume you mean leave the WAN interface unplugged, not LAN?

This is blog post worthy. ;D http://blog.pfsense.org/?p=157

We were recently talking about adding input validation to the WAN so you can't do what you just did. Typically when the defined gateway isn't within the WAN IP subnet, things won't work. Breaking this ability would be an unintended consequence. Though by the time a production version has that code, it should also be able to add default gateways on the static routes page if you don't want to use a WAN at all.

sullrich · Dec 7, 2007, 6:43 AM

scratches head thats pretty neat and can allow for our "server mode" only that I have planned in the future at some point in time.

GruensFroeschli · Dec 7, 2007, 10:41 AM

@rklopoto:

What I did for this particular box is install pfSense onto it with 2 NICs installed. Once the install was done, I configured the LAN interface with the LAN IP, and in the WAN, I put 0.0.0.0 as the IP, and for the gateway, I put the IP of the LAN gateway. This changes the routing table so that the machine can get to the internet for NTP, etc… I'm actually kinda psyched that it works this way! The LAN interface just sits there with nothing plugged into it.

I think you might even be able to replace the LAN interface with a VLAN-Interface sitting on the WAN-interface –> You only need one NIC.

jmontes4 · Dec 11, 2007, 6:46 AM

Server only mode would be an awesome feature!

I will be experimenting with this over the holiday break. One question (Mods feel free to delete this if you think I highjacking the thread), do the two interfaces have to be WAN and LAN or can they be LAN and OPT1, say a wireless lan?

GruensFroeschli · Dec 11, 2007, 10:33 AM

You always need at least 2 interfaces: LAN and WAN.
Any additional interfaces are OPTx.

jmontes4 · Dec 11, 2007, 11:28 AM

cool thanks for clearing that up!

cybrsrfr · Jan 27, 2008, 12:21 AM

I created a VLAN and assigned it to the WAN with PFSense RC4. So far so good. During the reboot it brings the LAN up and then hangs on the WAN.

On another system with 2 ethernet I have setup
1st Ethernet Port -> LAN
2nd Ethernet Port -> WAN
Wireless -> Opt1
In this configuration with wireless as an accesspoint you can bridge the Opt1 with either the LAN or WAN.

I have an ALIX.3C2 board in an outdoor enclosure with 1 ethernet and 1 wireless. Attempting to do the same thing.
Ethernet Port -> LAN
VLAN -> WAN
Wireless -> Opt1

Attempts to bridge the wireless on the WAN directly to the LAN do not seem to work and that is why I have tried this approach.

I think this might be another use for not requiring the WAN. It would really be nice to have a WAN override as a hidden option so that it will not be required. A hidden option would protect beginners from ending up with only one interface unintentionally.

I just thought of another potential approach similar to the one mentioned at the beginning of this thread…
Buy a mini-pci ethernet card so the system recognizes another ethernet nic and set that as the WAN. Seems like a messy way to do it but would may work if I can find a minipci ethernet card compatible with FreeBSD.

ridnhard19 · Jan 31, 2008, 4:28 AM

Any thoughts on setting up a DHCP relay agent on your Checkpoint firewall? You could then create a new DHCP scope and leveraging your existing DHCP infrastructure. I like to see networks managed centrally - depending on how they are setup this is not possible sometimes (branch offices, etc…). I don't think you can create/use different scopes with the PFSense box, I'm not sure what it uses behind the scenes I'm just starting to play with it to see how I can use it.