DHCP server

[Blue)(Fusion]

While trying to slim down pfSense duties, I tried setting up my ICX6610 as the DHCP server on each of the VLANs. This worked only partially. Reading through the giant thread, I found out that the ICX DHCP server is not authoritative so some IoT devices (pretty much all of my wireless devices that's not my laptop) refuse to accept the DHCP lease.

I'm trying to set up a DHCP server. I have installed dnsmasq on a VM. I'm not certain that this scenario is possible, so please tell me if it is or isn't and how to go about it, if it is.

I have the following setup:

pfSense as WAN firewall and DNS resolver only, ICX6610 as gateway for all VLANs. All traffic transported to pfSense via VLAN 999, 10.199.199.1/30 (ICX) <--> 10.199.199.2/30 (pfsense).

The dnsmasq server (10.1.1.100/24) is on my Management VLAN 5.

Two parts I'm not sure about:

1) Can I have the single VM give out IPs to several VLANs via the switch? How do I set it up on the switch?
2) Can the dnsmasq server serve DNS to pfsense, which acts as the primary resolver for the network? I.e. tell pfsense to look up mydomain.com to the dnsmasq server? Again, if so, how?

 

[BlueLineSwinger]

1) Can I have the single VM give out IPs to several VLANs via the switch? How do I set it up on the switch?

Yes, assuming DNSMasq can be configured with scopes for multiple subnets (I believe it can, but I have no real experience with it). There's nothing to set up on the switch. Instead, you have to configure DHCP relay on the router.

2) Can the dnsmasq server serve DNS to pfsense, which acts as the primary resolver for the network? I.e. tell pfsense to look up mydomain.com to the dnsmasq server? Again, if so, how?

You should be able to simply set the pfSense DNS settings to use your DNSMasq server. DNSMasq should be configured to issue its own IP address as DNS to the DHCP clients.

 

[kapone]

1) - I'm not that familiar with dnsmasq configuration, but assuming it has support for VLANs/scopes for DHCP, it should work. You set up the VM/dnsmasq server in whatever VLAN you want, do not add that port to any other VLAN (for this purpose), instead, use the brocade IP Helper command to add the dnsmasq server as a "helper" in other VLANs.

As an e.g. let's say you have VLAN 10 that represents some network and you want DHCP on it.

- In the 6610 you'd go into the ve interface for VLAN 10 config and add "ip helper-address xx 10.1.1.100". (This needs to be done on the ve interface, not the vlan itself.)
- The xx represents an integer value from 1 to a max of 16 for each ve interface.
- The IP address after the xx represents the IP of the server that you want as a helper. In your case, that's your dnsmasq server.

2) No reason why it couldn't. The DHCP server shouldn't care what addresses it gives out for various DHCP options, as long as your network is configured for it. In dnsmasq DHCP options/config, for each scope/vlan you'd set:

- The IP range
- Default gateway - This should point to the IP address of the ve interface on your switch for that VLAN (for VLAN routing using the switch, otherwise you do it differently).
- DNS server(s) - This would point to your pfSense IP. The dnsmasq server is not resolving anything in this case, it is simply telling a DHCP client to use a particular DNS server.

 

[Thorzeen]

i have set up a old infoblox box ($40 off ebay) to serve dhcp and dns for all my vlan's. somewhat steep learning curve but there is alot of documation online. it has been working flawless for a couple of years. or you could try a pihole or both.

 

[EffrafaxOfWug]

Infoblox is basically just a fancy GUI on top of regular ISC bind and dhcpd. Well there's more to it than that of course, but for the purposes of this thread it's what it does under the hood. But personally I'd be inclined to get things working under regular bind+dhcpd before I added extra kit like the IB, and for most people's purposes dnsmasq will be more than adequate and is far simpler configuration-wise.

Speaking of which, is this dnsmasq running on another server or on the pfsense box itself?

 

[RTM]

So.... just out of curiosity, what do you hope to achieve by not letting the pfsense box do DHCP?
Security and/or performance from running fewer services on the device?

Since you are already using a VM, why not just deploy another pfsense VM, and let that be DHCP/DNS?

 

[BoredSysadmin]

I took Infoblox 5 days training 3 years ago and imho I'd only use it in the home/smb as learning opportunity. In real life I'd recommend basically any other solution.
Exceptions would only be Infoblox target market of very large enterprises which could benefit from its advanced features like dns views, dns security and etc..
Dnsmasq and raspie (btw I'm running it as vm) aren't authoritative dns servers, only recursive
Pfsense includes bind with gui, which is authoritative dns server. Meaning that you can your own home dns domain/zone. I about to decommission old win2098r2 server only serving non-ad dns (used also to be fax server).
I'm with RTM, I am curious why would you don't want pfsense to serve dns and dhcp?

 

[itronin]

Help me understand too... I've been considering migrating off my Juniper SSG-5 to a pfsense box. I do have the juniper handing out dhcp for my guest network. That "seems simple enough" for a pfsense migration. I also have a more than a handful of other vlans (IoT, VoIP, WAP mgmt...) and for those I had been using DHCP Relay (forward) from my Cisco SG500 to a linux box (ISC Bind + DHCP). I know I can do the same thing with my new ICX 6610.

However I thought I read that in order for Pfsense to hand out DHCP it *must* have an interface in that VLAN. If that's correct for each VLAN that I want to have DHCP whether it needs Intenet access or not I must configure an Interface. I'd be trunking to the Pfsense box anyway so i guess I could set up all those interfaces - but do I want to? not really.

So Can Pfsense be a DHCP server with scopes for subnets it is not directly connected? If yes then makes sense to to use it as the DHCP /bind combo with a fancy GUI. If it does not then its not helpful to me at least and maybe others.

thanks,

itr

 

[fohdeesha]

So.... just out of curiosity, what do you hope to achieve by not letting the pfsense box do DHCP?
Security and/or performance from running fewer services on the device?

Since you are already using a VM, why not just deploy another pfsense VM, and let that be DHCP/DNS?

because pfsense is stubborn and in 2019 still is 100% unable to serve DHCP to not directly connected subnets, EG all your vlans in a typical layer 3 switch routed setup. I've even offered them and opnsense money: Feature: DHCP server able to handle non-interface configured subnets · Issue #1105 · opnsense/plugins - it's funny, because the RFC standard for this DHCP behavior is literally older than I am

another pfsense VM just for dhcp would be pretty silly, ISC-DHCP is way more flexible and lightweight

 

[Foray]

They really should adopt RFC 1149 and RFC 6214.

 

[Blue)(Fusion]

because pfsense is stubborn and in 2019 still is 100% unable to serve DHCP to not directly connected subnets, EG all your vlans in a typical layer 3 switch routed setup. I've even offered them and opnsense money: Feature: DHCP server able to handle non-interface configured subnets · Issue #1105 · opnsense/plugins - it's funny, because the RFC standard for this DHCP behavior is literally older than I am

another pfsense VM just for dhcp would be pretty silly, ISC-DHCP is way more flexible and lightweight

@fohdeesha hit it right on the money. I had tried eliminating all of the VLANs off of pfSense so the switch did all routing except WAN and VPN. I had it finally set up how I wanted - the switch giving DHCP and pfSense strictly on WAN firewall, VPN, and DNS (manually entered local hosts) duty. Only then did I found out the issue with the ICX DNS server where it does not act as an authoritative server, so many IoT devices refused the DHCP offers.

I went back to adding each VLAN that needs DHCP on pfSense for now.

I guess dnsmasq does not offer what I need of it. Doing some reading on the server that was suggested here, isc-dhcpd, seems to do exactly what I want. I can set up a single NIC, no need for VLANs and it will serve DHCP requests on all of my VLANs with plenty of options. I'll need to figure out how to set it up with DNS and then I'll be happy as a clam.

 

[kapone]

I guess dnsmasq does not offer what I need of it. Doing some reading on the server that was suggested here, isc-dhcpd, seems to do exactly what I want. I can set up a single NIC, no need for VLANs and it will serve DHCP requests on all of my VLANs with plenty of options. I'll need to figure out how to set it up with DNS and then I'll be happy as a clam.

I use a Windows server for this but the concept is the same. A VLAN/scopes capable DHCP server with a static IP address (obviously) added to each VLAN (that requires DHCP services) on the switch as a helper.

In my case, the DHCP server gives out a DNS IP that points to itself (Windows AD/DNS), but in your case you'd configure the DHCP server to hand out the IP of the pfSense server as the DNS server.

 

[BlueLineSwinger]

@fohdeesha hit it right on the money. I had tried eliminating all of the VLANs off of pfSense so the switch did all routing except WAN and VPN. I had it finally set up how I wanted - the switch giving DHCP and pfSense strictly on WAN firewall, VPN, and DNS (manually entered local hosts) duty. Only then did I found out the issue with the ICX DNS server where it does not act as an authoritative server, so many IoT devices refused the DHCP offers.

I went back to adding each VLAN that needs DHCP on pfSense for now.

I guess dnsmasq does not offer what I need of it. Doing some reading on the server that was suggested here, isc-dhcpd, seems to do exactly what I want. I can set up a single NIC, no need for VLANs and it will serve DHCP requests on all of my VLANs with plenty of options. I'll need to figure out how to set it up with DNS and then I'll be happy as a clam.

Yep, ISC-DHCP will have no problem with supporting scopes for multiple subnets, even if the the host/VM/container it's running on does not have an interface on them. It's what I use at home. Just make sure to enable DHCP relay on the router (or switch, if it's layer-3 and doing the routing for your LAN).

My (sanitized) dhcpd.conf, FWIW:

### Global settings

authoritative;

# Lease times
default-lease-time 3600;
max-lease-time 3600;

# DDNS
ddns-update-style none;

# Logging
#log-facility local7;


### Global DHCP options

option domain-name-servers 192.168.10.30, 192.168.10.31, 192.168.10.1;
option domain-name "example.net";
option domain-search "example.net", "example.com";
option ntp-servers ntp.example.net;
option tcode "America/Los_Angeles";


### PXE Boot

option arch         code 93 = unsigned integer 16;
option magic        code 208 = string;
option configfile   code 209 = text;
option pathprefix   code 210 = text;
option reboottime   code 211 = unsigned integer 32;

class "pxeclients" {
  match if ( (substring (option vendor-class-identifier, 0, 9) = "PXEClient") or
             (substring (option vendor-class-identifier, 0, 9) = "Etherboot") );

  next-server pxe.example.net;
  allow booting;
  allow bootp;

  if (option arch = 00:09) {        # UEFI
    filename "efi64/syslinux.efi";
  } elsif (option arch = 00:07) {   # UEFI
    filename "efi64/syslinux.efi";
  } elsif (option arch = 00:0b) {   # ARM
    filename "efiaa64/aa64.efi";
  } else {                          # default to BIOS
    filename "bios/lpxelinux.0";
  }
}


### Unifi APs

option space ubnt;
option ubnt.unifi-address code 1 = ip-address;

class "ubnt" {
  match if substring (option vendor-class-identifier, 0, 4) = "ubnt";
  option vendor-class-identifier "ubnt";
  vendor-option-space ubnt;
}


### Subnet declarations

# LAN
subnet 192.168.10.0 netmask 255.255.255.0 {
  range 192.168.10.100 192.168.10.199;
  option routers 192.168.10.1;
}

# WLAN
subnet 192.168.20.0 netmask 255.255.255.0 {
  range 192.168.20.100 192.168.20.199;
  option routers 192.168.20.1;
}

# Test WLAN
subnet 192.168.21.0 netmask 255.255.255.0 {
  range 192.168.21.100 192.168.21.199;
  option routers 192.168.21.1;
}

# Guest WLAN
subnet 192.168.25.0 netmask 255.255.255.0 {
  range 192.168.25.100 192.168.25.199;
  option routers 192.168.25.1;
  option domain-name-servers 9.9.9.9;
  option domain-name "";
  option domain-search "";
  option ntp-servers 0.us.pool.ntp.org, 1.us.pool.ntp.org;
}

# Admin subnet
subnet 192.168.99.0 netmask 255.255.255.0 {
  range 192.168.99.100 192.168.99.199;
  option routers 192.168.99.1;
  option ubnt.unifi-address unifi.example.net;  #Unifi controller
}


### Host declarations

host debcache {
  hardware ethernet FF:FF:FF:FF:06:E3;
  fixed-address debcache.example.net;
}

host plex {
  hardware ethernet FF:FF:FF:FF:18:E0;
  fixed-address plex.example.net;
}

host pxe {
  hardware ethernet FF:FF:FF:FF:8A:50;
  fixed-address pxe.example.net;
}

host radius {
  hardware ethernet FF:FF:FF:FF:6A:3D;
  fixed-address radius.example.net;
}

host squeezebox {
  hardware ethernet FF:FF:FF:FF:8A:81;
  fixed-address squeezebox.example.net;
}

host unifi {
  hardware ethernet FF:FF:FF:FF:41:52;
  fixed-address unifi.example.net;
}

host www {
  hardware ethernet FF:FF:FF:FF:34:1B;
  fixed-address www.example.net;
}

I'm not presently using DDNS, so I can't quite help there at the moment. Instead, Any host/server I have that gets its IP via DHCP has that address set in DNS, and then ISC-DHCP does a lookup when the host does a DHCP request (the 'fixed-address' declaration with an unquoted FQDN).

Also, as an FYI, ISC has a successor to ISC-DHCP named Kea, which may be worth checking out. Unfortunately though, many of its more advanced features are hidden behind subscriptions and licenses.