Questions

I have DHCP enabled on the Windows Server why is the DHCP server need to be enabled on the firewall?

+
0 Votes
Locked

I have DHCP enabled on the Windows Server why is the DHCP server need to be enabled on the firewall?

shadetreeadmin
No one can get to the Internet unless the Firewall DHCP is enabled.
This is a simple setup that is connected as follows Cloud->Router->Firewall (gateway)->Switches->Machines (including the Win 2008 server).
  • +
    0 Votes
    OH Smeg

    But no it doesn't need to be the Gateway unless you have a Gateway App running on it.

    Col

    +
    0 Votes
    markp24

    As Oh Smeg states, unless your running a service that needs it, then you should not require DHCP on that server.

    +
    0 Votes
    usrhlp

    You're, not your.

    +
    0 Votes
    markp24

    Im sorry what?

    +
    0 Votes
    srakhra

    Hi there,

    It is purely because of security purpose. If blocked clients may find it difficult to attach to your DHCP server to acquire an IP address. Firewall basically is design to block everything. Its only through allowing access via a port number, MAC address or program association that this characteristic of firewall can be modified as per the requirement. So enabling DHCP services on the server is not worth unless its allowed through in firewall too.

    Just wondering I never enabled this before and yet when I looked into my firewalls settings on Win Srv 2008 R2 I found it enabled by default.

    Satts

    +
    2 Votes
    Charles Bundy

    ping, nslookup and ipconfig are your friends here. I'd say one of two things is happening -

    A) Your firewall has a different IP/subnet from your DHCP scope under AD
    B) DHCP on the server isn't set to supply the right IP for the gateway and DNS

    Use the above listed tools on both the firewall and AD DHCP setups. That should narrow down if it is a routing/IP problem or a name resolution problem. Good Luck!

    +
    1 Votes
    CFWhitman

    Rest assured that you should not need DHCP enabled on the firewall if you're running it on another server. To figure out what's going on is a process of elimination.

    You might try turning off DHCP on the firewall and releasing and renewing the IP address on a client and checking to see if it has the correct TCP/IP settings after you renew it. If it doesn't, then you know you have a configuration problem on the DHCP server. If it does have the correct settings, then you probably have a configuration problem on the firewall (or at least a non-matching configuration between the firewall and the DHCP server; that is, they don't agree on which traffic should be let through the firewall).

    As Charles Bundy said, network testing commands like traceroute, ipconfig, nslookup, and ping should reveal the problem. You may also need to brush up on the general principles of firewall configuration, and how to institute them on your particular firewall.

    Of course, it's possible that it would also work for you to turn off your internal DHCP server and just let the firewall do DHCP. If it were me, though, I'd want to know why it wasn't working even if I did decide to use the firewall's DHCP at a later time.

    +
    1 Votes
    christexan

    First, your subnet configuration should be reviewed in DHCP/DNS, your IP "gateway" setting (aka 003 Router in Windows DHCP under Scope Options) should point to the internal address for the firewall.
    Your firewall's internal address should be hard-coded to an IP in the same subnet as your machines (often either x.x.x.1 or x.x.x.254 to put it at one "end" of the range).
    Your DHCP client settings for the gateway in the DHCP server should match the firewall's internal IP address.
    The DHCP server "DHCP server" address should match your DHCP server's IP address if you run an" IPCONFIG /ALL" from the command line.
    Example:
    Windows/DHCP server address = 10.1.1.5
    Firewall/Gateway address = 10.1.1.1.
    All servers or other "static" addressed machines should have their gateway address set to 10.1.1.1.
    In DHCP, the client scope settings should be set with a gateway (003 Router setting) of 10.1.1.1
    In DHCP scope address pool, you need setup an exclusion for the firewall address for 10.1.1.1 (and any other static IP servers/devices) so another machine doesn't try to take it, causing a conflict. Or you can setup reservations for each device (requires mac addressing, a little more complicated than just an exclusion).
    -end example-
    Typically it is very common for a small environment, to preconfigure DHCP with a "static" pool, and a DHCP pool. If you have a gateway at 10.1.1.1, 3 servers and a few printers that need static IPs, you might leave 10.1.1.1 through 10.1.1.25 out of the DHCP pool and use those addresses for those devices, and configure your DHCP pool to start at 10.1.1.26 through 10.1.1.254. If not, you'll have to setup exclusions at random as needed.
    Good luck, hopefully these point you towards the solution.

    +
    0 Votes

    Linux dhcp is 100 times more flexible and verbose in logging than MS dhcp.

    Windows has the worst logging on system related services and it is vulernable to viruses/malware and the non-stop reboots from patches.

  • +
    0 Votes
    OH Smeg

    But no it doesn't need to be the Gateway unless you have a Gateway App running on it.

    Col

    +
    0 Votes
    markp24

    As Oh Smeg states, unless your running a service that needs it, then you should not require DHCP on that server.

    +
    0 Votes
    usrhlp

    You're, not your.

    +
    0 Votes
    markp24

    Im sorry what?

    +
    0 Votes
    srakhra

    Hi there,

    It is purely because of security purpose. If blocked clients may find it difficult to attach to your DHCP server to acquire an IP address. Firewall basically is design to block everything. Its only through allowing access via a port number, MAC address or program association that this characteristic of firewall can be modified as per the requirement. So enabling DHCP services on the server is not worth unless its allowed through in firewall too.

    Just wondering I never enabled this before and yet when I looked into my firewalls settings on Win Srv 2008 R2 I found it enabled by default.

    Satts

    +
    2 Votes
    Charles Bundy

    ping, nslookup and ipconfig are your friends here. I'd say one of two things is happening -

    A) Your firewall has a different IP/subnet from your DHCP scope under AD
    B) DHCP on the server isn't set to supply the right IP for the gateway and DNS

    Use the above listed tools on both the firewall and AD DHCP setups. That should narrow down if it is a routing/IP problem or a name resolution problem. Good Luck!

    +
    1 Votes
    CFWhitman

    Rest assured that you should not need DHCP enabled on the firewall if you're running it on another server. To figure out what's going on is a process of elimination.

    You might try turning off DHCP on the firewall and releasing and renewing the IP address on a client and checking to see if it has the correct TCP/IP settings after you renew it. If it doesn't, then you know you have a configuration problem on the DHCP server. If it does have the correct settings, then you probably have a configuration problem on the firewall (or at least a non-matching configuration between the firewall and the DHCP server; that is, they don't agree on which traffic should be let through the firewall).

    As Charles Bundy said, network testing commands like traceroute, ipconfig, nslookup, and ping should reveal the problem. You may also need to brush up on the general principles of firewall configuration, and how to institute them on your particular firewall.

    Of course, it's possible that it would also work for you to turn off your internal DHCP server and just let the firewall do DHCP. If it were me, though, I'd want to know why it wasn't working even if I did decide to use the firewall's DHCP at a later time.

    +
    1 Votes
    christexan

    First, your subnet configuration should be reviewed in DHCP/DNS, your IP "gateway" setting (aka 003 Router in Windows DHCP under Scope Options) should point to the internal address for the firewall.
    Your firewall's internal address should be hard-coded to an IP in the same subnet as your machines (often either x.x.x.1 or x.x.x.254 to put it at one "end" of the range).
    Your DHCP client settings for the gateway in the DHCP server should match the firewall's internal IP address.
    The DHCP server "DHCP server" address should match your DHCP server's IP address if you run an" IPCONFIG /ALL" from the command line.
    Example:
    Windows/DHCP server address = 10.1.1.5
    Firewall/Gateway address = 10.1.1.1.
    All servers or other "static" addressed machines should have their gateway address set to 10.1.1.1.
    In DHCP, the client scope settings should be set with a gateway (003 Router setting) of 10.1.1.1
    In DHCP scope address pool, you need setup an exclusion for the firewall address for 10.1.1.1 (and any other static IP servers/devices) so another machine doesn't try to take it, causing a conflict. Or you can setup reservations for each device (requires mac addressing, a little more complicated than just an exclusion).
    -end example-
    Typically it is very common for a small environment, to preconfigure DHCP with a "static" pool, and a DHCP pool. If you have a gateway at 10.1.1.1, 3 servers and a few printers that need static IPs, you might leave 10.1.1.1 through 10.1.1.25 out of the DHCP pool and use those addresses for those devices, and configure your DHCP pool to start at 10.1.1.26 through 10.1.1.254. If not, you'll have to setup exclusions at random as needed.
    Good luck, hopefully these point you towards the solution.

    +
    0 Votes

    Linux dhcp is 100 times more flexible and verbose in logging than MS dhcp.

    Windows has the worst logging on system related services and it is vulernable to viruses/malware and the non-stop reboots from patches.