I have DHCP enabled on the Windows Server why is the DHCP server need to be enabled on the firewall?

By shadetreeadmin ·
No one can get to the Internet unless the Firewall DHCP is enabled.
This is a simple setup that is connected as follows Cloud->Router->Firewall (gateway)->Switches->Machines (including the Win 2008 server).

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Depends on what you have running on it

by OH Smeg Moderator In reply to I have DHCP enabled on th ...

But no it doesn't need to be the Gateway unless you have a Gateway App running on it.


Collapse -

it doesnt need to be on it

by markp24 In reply to I have DHCP enabled on th ...

As Oh Smeg states, unless your running a service that needs it, then you should not require DHCP on that server.

Collapse -

Reponse To Answer

by usrhlp In reply to it doesnt need to be on i ...

You're, not your.

Collapse -

Reponse To Answer

by markp24 In reply to it doesnt need to be on i ...
Collapse -

Just another thought

by srakhra In reply to I have DHCP enabled on th ...

Hi there,

It is purely because of security purpose. If blocked clients may find it difficult to attach to your DHCP server to acquire an IP address. Firewall basically is design to block everything. Its only through allowing access via a port number, MAC address or program association that this characteristic of firewall can be modified as per the requirement. So enabling DHCP services on the server is not worth unless its allowed through in firewall too.

Just wondering I never enabled this before and yet when I looked into my firewalls settings on Win Srv 2008 R2 I found it enabled by default.


Collapse -


by Charles Bundy In reply to I have DHCP enabled on th ...

ping, nslookup and ipconfig are your friends here. I'd say one of two things is happening -

A) Your firewall has a different IP/subnet from your DHCP scope under AD
B) DHCP on the server isn't set to supply the right IP for the gateway and DNS

Use the above listed tools on both the firewall and AD DHCP setups. That should narrow down if it is a routing/IP problem or a name resolution problem. Good Luck!

Collapse -

You Shouldn't Need DHCP On the Firewall

by CFWhitman In reply to I have DHCP enabled on th ...

Rest assured that you should not need DHCP enabled on the firewall if you're running it on another server. To figure out what's going on is a process of elimination.

You might try turning off DHCP on the firewall and releasing and renewing the IP address on a client and checking to see if it has the correct TCP/IP settings after you renew it. If it doesn't, then you know you have a configuration problem on the DHCP server. If it does have the correct settings, then you probably have a configuration problem on the firewall (or at least a non-matching configuration between the firewall and the DHCP server; that is, they don't agree on which traffic should be let through the firewall).

As Charles Bundy said, network testing commands like traceroute, ipconfig, nslookup, and ping should reveal the problem. You may also need to brush up on the general principles of firewall configuration, and how to institute them on your particular firewall.

Of course, it's possible that it would also work for you to turn off your internal DHCP server and just let the firewall do DHCP. If it were me, though, I'd want to know why it wasn't working even if I did decide to use the firewall's DHCP at a later time.

Collapse -

As mentioned, it sounds like DNS/DHCP config issues on the server(s)

by christexan In reply to I have DHCP enabled on th ...

First, your subnet configuration should be reviewed in DHCP/DNS, your IP "gateway" setting (aka 003 Router in Windows DHCP under Scope Options) should point to the internal address for the firewall.
Your firewall's internal address should be hard-coded to an IP in the same subnet as your machines (often either x.x.x.1 or x.x.x.254 to put it at one "end" of the range).
Your DHCP client settings for the gateway in the DHCP server should match the firewall's internal IP address.
The DHCP server "DHCP server" address should match your DHCP server's IP address if you run an" IPCONFIG /ALL" from the command line.
Windows/DHCP server address =
Firewall/Gateway address =
All servers or other "static" addressed machines should have their gateway address set to
In DHCP, the client scope settings should be set with a gateway (003 Router setting) of
In DHCP scope address pool, you need setup an exclusion for the firewall address for (and any other static IP servers/devices) so another machine doesn't try to take it, causing a conflict. Or you can setup reservations for each device (requires mac addressing, a little more complicated than just an exclusion).
-end example-
Typically it is very common for a small environment, to preconfigure DHCP with a "static" pool, and a DHCP pool. If you have a gateway at, 3 servers and a few printers that need static IPs, you might leave through out of the DHCP pool and use those addresses for those devices, and configure your DHCP pool to start at through If not, you'll have to setup exclusions at random as needed.
Good luck, hopefully these point you towards the solution.

Collapse -

Linux dhcp is also an option

Linux dhcp is 100 times more flexible and verbose in logging than MS dhcp.

Windows has the worst logging on system related services and it is vulernable to viruses/malware and the non-stop reboots from patches.

Related Discussions

Related Forums