Static IP vs DHCP



  • I have been reading, but not yet completed, the pfSense manual so please excuse the question. However, I really need to answer this question though before I proceed too deeply into pfSense setup.

    Briefly, I have a pfSense Network Appliance with a file server, 7 computers, printer and some end devices - quite small is the point.

    I keep coming back to what I believe to be obvious: As in our computer lab for Cisco, 20+ computers all have statically assigned IP addesses for the Windows 7 Workstations, not unlike what I have here. That I believe would eliminate confusion between the DHCP on pfSense and that on Windows, the DHCP on Windows being slower I believe.

    Should I not, then, just assign static IP's to all my computers and end devices?

    I can think of other reasons (security, speed, maintenance, etc.) why static IP's would be the better choice. Could I be mistaken in my thinking?


  • Moderator

    You should never have a network with two dhcp servers as it will be mismatched.

    If its a Windows Network with AD and DNS, I would recommend using the Windows DHCP Server instead of having DHCP managed on pfSense.

    There are benefits both ways. If the network is not going to be changing, setting static is better in my opinion. But if you foresee lots of changes down the road, DHCP makes it easier to manage.



  • You should never have a network with two dhcp servers as it will be mismatched.

    That of course would be basic sense, though therein lies my confusion. Not having read enough yet of the manual, I did not know how/if pfSense defers to Windows for assigning IP's. What I have experienced, however, since setting up the pfSense box is that occasionally, quite often actually, some of my computers can see other computers but not vice versa. That is why I though setting static IP's might keep things a little straighter.

    And, no, I do not have a large network nor do I expect any need for scalability. It's pretty "static" so to speak.

    …..................

    Actually right now I just happened to think there is no way at all pfSense could provide dhcp service, because everything is being coursed through a single WAN and out a single LAN NIC and then through my Cisco SG300 Managed Switch and on to the computers.

    A really stupid question, if I might say so myself - at least as far as who handles dhcp (obviously MS does). In the future, though, whatever the setup it does seem to be best to use static IP's.??


  • Rebel Alliance Global Moderator

    If you have windows domain running dhcp server - why would you enable the dhcp server on pfsense?  You should only have 1 dhcp on a network - PERIOD!! Conversation over!!  Turn 1 of them off - if your running AD, then it makes sense to let windows do it.  If your not running AD, then just let pfsense do it.

    There can be only 1!! Though..




  • I think we all know that you should have only one dhcp server.

    The question is dhcp vs static for a small network. Advantages of static over dhcp for security, etc.  For example, http://security.stackexchange.com/questions/1925/dhcp-vs-static-ip-addressing

    Different topic altogether.  ;)


  • Rebel Alliance Global Moderator

    There is NO advantage to static - its a PITA..  Why would you not just run dhcp?  If you want your boxes to always have the same IP then then set reservation.

    You are not making it clear what your freaking question is from comments like this.
    "I did not know how/if pfSense defers to Windows for assigning IP's."

    Seemed to me you are running 2 from a statement like that.  Why would you be worried about security on a small private network with 7 devices on it?  If you worried about someone plugging into your network - not having dhcp is not going to stop them.  Now the use of port security, disable unused ports on your switch (switch in controlled area) use of NAC or NAP, etc. would be security features - not a static network..  Now if you have nothing to run a dhcp server then sure ok static works.  But if you have a dhcp server available and you don't use it for security reasons you have your tinfoil hat on way to freaking tight ;)



  • Yes, I know about closing ports for port security.

    There is NO advantage to static

    On large networks everyone knows that. But mine is very small.

    It would seem that you could answer a simple question without ad hominem attacks. If you don't know the answer, well then man up and just say I don't know. I will never fault you for not knowing. You are only human after all.  :)

    But let's not make ourselves a walking cliche by talking about tin-foil hats. That is a bit silly, don't you agree?

    Not to worry, my friend. I can read on my own and will talk to my Cisco instructor, who set up our lab with static IP's. Kinda foolish of him, I guess.  ;)


  • Rebel Alliance Global Moderator

    How much clear can I be - there is NO advantage to static be it you have 1 device or 1000..  Other than if you only have a couple of devices and don't have a dhcp server available then using static would allow you to talk to your devices.  Or for that matter you could just let them use APIPA and use those ;)

    Sorry but if you think static IPs are a security method then your tinfoil hat is indeed on too tight ;)



  • Thank you for your reply and please forgive my tendency to be heretical but that tendency to question has served me quite well in life.

    After further reading, it appears that dynamic IP's might actually serve to prevent spoofing in that the IP's of each computer would be completely unpredictable. More simply put, if there is a security component, and yes I think for security everything should be examined, then DHCP would actually tend to be more secure.

    Thanks for your help!  :)


  • Rebel Alliance Global Moderator

    I would not really agree that dhcp clients Ips would be completely unpredictable.  Once a client gets an IP - it would tend to use that IP forever, as long as it can renew.  That ip might change is if its offline for longer time than the lease and the dhcp server then reassigned the IP to another device.

    Dhcp client normally renew at 50% of the lease time, so unless the client is off for longer than say 50% of the lease time and it was before its renew when it went offline its unlikely that it would not just keep renewing the same IP.  Even if the client has been off the network for longer than the lease - many clients would still request its old IP - and only if the dhcp server had reissued it would it not give that same IP to the original lease holder if requested.

    Comes down to your lease time and how long devices leave the network for.  In the case of say a server type device that is on 24/7/365 it should always have the same IP.  You might even set a reservation so that you don't hand that IP to other devices even if the client is offline for longer than the lease because say you forward traffic to that box and want to make sure it has the same IP, etc.

    Where you normally see static is on server/printer/network equipment/etc that is normally on all the time.  Unless you plan on changing information that is handed out via dhcp - say the gateway, say the ntp server or other info you can hand out via dhcp if that device is "static" type device you might set it on the device directly and maintain your dhcp scope for more dynamic devices.

    This is not really an advantage - but might be something the admin does just for administrative reasons.  You also have things where they are not good dhcp client devices.  For example your dhcp server highly unlikely it could be a dhcp cient itself :)  Your most likely not going to want your AD DC to be a dhcp client, or your Router lan interface ;)

    In most every network your going to see a mix of static and dhcp.  The less static the better from a administrative point of view - static like on a printer normally has to be done using a limited input method on the printer itself for example.  I would much rather just let it pick one from a pool and use name resolution to access it, or setup a reservation in in my dhcp server vs using a limited input method.


  • Netgate Administrator

    I agree with most of what Jon said.
    I use a combination of static and DHCP in most networks I'm allowed to play with. Mostly I use a combination of static and dynamic DHCP leases but some devices just behave better with hard coded IPs.

    The advantage of running static IP is that device will continue to fucntion in the event that the DHCP server becomes unavailable for whatever reason. For example a switch or a wireless access point can still be reconfigured even if the router/dhcp server is firewalled off. I have seen devices that refuse to allow access to the management interface from outside their own subnet. I have to connect to them directly with my laptop to configure them and having static IPs already set makes that much easier.

    Using pfSense for DHCP allows IPs to be resolved to DHCP leases which can make reading the firewall logs much easier. I'm not sure if you can configure pfSense to run reverse DNS against an AD server, I've never tried.

    Steve


  • Rebel Alliance Global Moderator

    "The advantage of running static IP is that device will continue to fucntion in the event that the DHCP server becomes unavailable for whatever reason"

    Valid point to be sure - but unless you had a very short lease time, your devices should continue to function for days.  Lets call it a 4 day lease - worse case a box just before renew (2 days) the dhcp takes a dump.  That device should function unless rebooted for at min 2 days.  I would hope you have your dhcp server online again within that time frame ;)

    Not sure if would consider that an "advantage" but sure its a feature of using static that could be useful on loss of dhcp server.  Normally your dhcp server would be run on a production system like your router (pfsense or soho)  Or your AD servers normally DC in for sure in a smb setup.  If those took a dump your going to have more issues on your hand non related to the actual dhcp service ;)  If an enterprise setup you would normally have dhcp failover setup, and worse case bringing up a dhcp server in case of loss of primary or backup is trivial task if you ask me.


  • Netgate Administrator

    To be clear that's the only advantage I can think of.  ;)
    I'm talking about small SOHO networks here also. I've been in situations where, following a power outage or equipment failure, I'm unable to access a device that would have been trivial had it had a fixed IP written on the outside of the device.
    I would always avoid fixed IPs for most devices though.

    Steve


  • Moderator

    @stephenw10:

    I've been in situations where, following a power outage or equipment failure, I'm unable to access a device that would have been trivial had it had a fixed IP written on the outside of the device.
    I would always avoid fixed IPs for most devices though.

    When I hit that situation, I enable DHCP in pfSense (opening up a single DHCP pool) and let the device connect and find the DHCP address from there. Then disable DHCP once I get everything back to normal.

    I also like to set Servers and other Core devices to Static to avoid those types of Issues. A little more work but helps on hairy days!