Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Guest network w/ AD handling DHCP & DNS?

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      esseebee
      last edited by

      Hello,

      I need help thinking through how to implement a guest wireless network.  We are running Pfsense 2.1.5.  DC is handling DNS and DHCP.  I've been reading about broadcasting a separate SSID on our APs, and using VLAN functionality between the specific SSIDs and Pfsense to the internet.  I probably don't understand VLANs very well, but does it seem to be a security risk to have DHCP addresses handed out by our DC on the internal network, even if we use a separate address range?  I couldn't find anything in the forums.  I've very open and grateful for suggestions.

      Cheers

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Do you have a smart switch that does vlans?

        If this is a guest network you could just have pfsense hand out IPs for this guest network.  Can be completely isolated from your other network(s)

        What APs do you have - they support multiple ssids with vlans?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          It's likely not a security issue, unless there is some vulnerability in the MS DHCP server at some point that's exploitable via DHCP requests. Judging by history, that's unlikely, though possible.

          No reason you can't run the DHCP server for the guest network on pfSense. That'd be better to allow you to completely isolate the guest network from your LAN.

          1 Reply Last reply Reply Quote 0
          • E
            esseebee
            last edited by

            Thank you.  I took your advice and it's now up and running.  Cheers.

            1 Reply Last reply Reply Quote 0
            • S
              Soyokaze
              last edited by

              You should clarify which type of guest network do you want:
              a) guest network with access to your internal resources (including access to AD), for ex. for employees from other offices, or
              b) totally isolated guest network, without access to your internal resources at all.

              If you intend to deploy B variant, than using AD's DNS and DHCP is not a best solution, not only from security point (besides obvious exposure to malicious software on clients notebooks - anyone could gather your internal AD structure and names of your servers with plain and valid DNS lookups), but also from network performance and server load:
              your DNS and DHCP servers will have much more request to process;
              if someone malicious (or just dumb) device will flood your DNS and DHCP servers with constant requests - your internal clients will be impaired;
              and last but not least - if you will register DNS records for DHCP client (and I bet you WOULD) - you will get increased replication bandwidth between DCs for AD-integrated DNS zones.

              So, better solution would be to provide your guest zone with pfSense DNS resolver, or just give them Google DNS (8.8.8.8 and 8.8.4.4).

              Need full pfSense in a cloud? PM for details!

              1 Reply Last reply Reply Quote 0
              • E
                esseebee
                last edited by

                Thanks for your input.  I was wanting a completely isolated Guest network, so I did what the previous post suggested. Pfsense is handling DHCP and DNS, so the guest network is on its own.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.