Hi everyone, I’d like to know
What is the optimal DHCP server deployment strategy for an infrastructure? I’m planning to introduce a firewall into a Windows Server environment with 4 domain controllers, 3 switches, and no router. Should I configure the DHCP server on the firewall or within the domain controllers to enable DHCP failover clustering? Additionally, do the switches need to act as DHCP relays?
The ISP router is currently acting as the DHCP server. As the firewall is not yet purchased, I haven’t decided which one to choose among UDM SE, Forti, Cisco Firepower, and Sophos.
Our IT infrastructure serves a selling company with 11 servers located at the head office, hosting selling apps. We also have 8 shops across the country where users connect via RDP to access these selling apps. Additionally, we have servers distributed across departments (HR, Marketing, Accounting, IT) in the head office. Apart from that, we have CCTV and access control devices, TVs, NAS, and access points. Port forwarding is configured on the ISP router with DDNS to allow remote access to servers from remote shops.
We need to set up 4 VLANs:
Servers
CCTV and AC devices
Guests
VoIP
PCs
We also need to map a file share to PCs in the head office, as they will not be located in the same VLANs as the servers. I need a configuration on the firewall that will allow me to achieve this.
For me I like to keep networking functions to network devices. I setup DHCP on the firewall and then set the DNS server IP’s to the domain controllers. Also don’t have to fool around with setting up a relay on all your switches.
I heard that if you go the DHCP route for windows you have to have the proper windows licensing for that. Meaning license for every device that uses DHCP.
For the firewall we use PFsense in HA at the main office and then we have 18 site to site VPN’s back to the main office all running pfsense. They used to be fortigate, but the licensing was a killer in cost. That said, I don’t know if you have looked into pfsense, but it will fit your requirements.
Great, I have never used PfSense for work purposes. I really want to avoid licensing issues, which is why I’m also considering the UDM SE. I’ve heard that PfSense would require more documentation from my end. Additionally, I’ve heard that the UDM is more user-friendly, requires less maintenance, and demands less technical knowledge. However, I won’t hesitate to go for PfSense if it’s the right choice, especially considering our infrastructure is expected to expand. I’ll look into it further. As for hardware and VPN, what kind do you use with PfSense?
Our main site uses the netgate 8200 max in HA. It handles 18 site to site VPN’s without blinking and about 15 employees connected with OpenVPN all the time. We use the QAT acceleration. For offsite work you can use wireguard or OpenVPN. I personally use OpenVPN server on pfsense and I use the OpenVPN connect client I download from OpenVPN site (it looks prettier). Although you can use the bundled config and older OpenVPN client you download from pfsense when exporting the configuration. There is good documentation on both and Tom has done configuration videos on these as well.