Guest network w/ AD handling DHCP & DNS?



  • Hello,

    I need help thinking through how to implement a guest wireless network.  We are running Pfsense 2.1.5.  DC is handling DNS and DHCP.  I've been reading about broadcasting a separate SSID on our APs, and using VLAN functionality between the specific SSIDs and Pfsense to the internet.  I probably don't understand VLANs very well, but does it seem to be a security risk to have DHCP addresses handed out by our DC on the internal network, even if we use a separate address range?  I couldn't find anything in the forums.  I've very open and grateful for suggestions.

    Cheers


  • LAYER 8 Global Moderator

    Do you have a smart switch that does vlans?

    If this is a guest network you could just have pfsense hand out IPs for this guest network.  Can be completely isolated from your other network(s)

    What APs do you have - they support multiple ssids with vlans?



  • It's likely not a security issue, unless there is some vulnerability in the MS DHCP server at some point that's exploitable via DHCP requests. Judging by history, that's unlikely, though possible.

    No reason you can't run the DHCP server for the guest network on pfSense. That'd be better to allow you to completely isolate the guest network from your LAN.



  • Thank you.  I took your advice and it's now up and running.  Cheers.



  • You should clarify which type of guest network do you want:
    a) guest network with access to your internal resources (including access to AD), for ex. for employees from other offices, or
    b) totally isolated guest network, without access to your internal resources at all.

    If you intend to deploy B variant, than using AD's DNS and DHCP is not a best solution, not only from security point (besides obvious exposure to malicious software on clients notebooks - anyone could gather your internal AD structure and names of your servers with plain and valid DNS lookups), but also from network performance and server load:
    your DNS and DHCP servers will have much more request to process;
    if someone malicious (or just dumb) device will flood your DNS and DHCP servers with constant requests - your internal clients will be impaired;
    and last but not least - if you will register DNS records for DHCP client (and I bet you WOULD) - you will get increased replication bandwidth between DCs for AD-integrated DNS zones.

    So, better solution would be to provide your guest zone with pfSense DNS resolver, or just give them Google DNS (8.8.8.8 and 8.8.4.4).



  • Thanks for your input.  I was wanting a completely isolated Guest network, so I did what the previous post suggested. Pfsense is handling DHCP and DNS, so the guest network is on its own.


Log in to reply