DHCP Server and Firewall Selection

Networking & Firewalls
1

Hi everyone, I’d like to know
What is the optimal DHCP server deployment strategy for an infrastructure? I’m planning to introduce a firewall into a Windows Server environment with 4 domain controllers, 3 switches, and no router. Should I configure the DHCP server on the firewall or within the domain controllers to enable DHCP failover clustering? Additionally, do the switches need to act as DHCP relays?

The ISP router is currently acting as the DHCP server. As the firewall is not yet purchased, I haven’t decided which one to choose among UDM SE, Forti, Cisco Firepower, and Sophos.

Our IT infrastructure serves a selling company with 11 servers located at the head office, hosting selling apps. We also have 8 shops across the country where users connect via RDP to access these selling apps. Additionally, we have servers distributed across departments (HR, Marketing, Accounting, IT) in the head office. Apart from that, we have CCTV and access control devices, TVs, NAS, and access points. Port forwarding is configured on the ISP router with DDNS to allow remote access to servers from remote shops.

We need to set up 4 VLANs:

  1. Servers
  2. CCTV and AC devices
  3. Guests
  4. VoIP
  5. PCs

We also need to map a file share to PCs in the head office, as they will not be located in the same VLANs as the servers. I need a configuration on the firewall that will allow me to achieve this.

In summary, I’d like to know:

  1. Which firewall best suits our needs?
  2. Where should the DHCP server be located?"**
2

Welcome to the community!

For me I like to keep networking functions to network devices. I setup DHCP on the firewall and then set the DNS server IP’s to the domain controllers. Also don’t have to fool around with setting up a relay on all your switches.

I heard that if you go the DHCP route for windows you have to have the proper windows licensing for that. Meaning license for every device that uses DHCP.

For the firewall we use PFsense in HA at the main office and then we have 18 site to site VPN’s back to the main office all running pfsense. They used to be fortigate, but the licensing was a killer in cost. That said, I don’t know if you have looked into pfsense, but it will fit your requirements.

3

Has anybody here ever needed DHCP failover?

As for firewall, go with the best CYA option. Firewall features are commoditized, even if the costs are not.

Everybody here will recommend pfsense, which is a solid option as long as you aren’t taking any reputation risk. Otherwise, why bother.

4

No to dhcp failover, but spilt dhcp scope where clients have two domain controllers.

Do you have a feature list on what you need from the firewall, so that you can check if the firewall offers the functions you want

5

Great, I have never used PfSense for work purposes. I really want to avoid licensing issues, which is why I’m also considering the UDM SE. I’ve heard that PfSense would require more documentation from my end. Additionally, I’ve heard that the UDM is more user-friendly, requires less maintenance, and demands less technical knowledge. However, I won’t hesitate to go for PfSense if it’s the right choice, especially considering our infrastructure is expected to expand. I’ll look into it further. As for hardware and VPN, what kind do you use with PfSense?

6

Our main site uses the netgate 8200 max in HA. It handles 18 site to site VPN’s without blinking and about 15 employees connected with OpenVPN all the time. We use the QAT acceleration. For offsite work you can use wireguard or OpenVPN. I personally use OpenVPN server on pfsense and I use the OpenVPN connect client I download from OpenVPN site (it looks prettier). Although you can use the bundled config and older OpenVPN client you download from pfsense when exporting the configuration. There is good documentation on both and Tom has done configuration videos on these as well.

1 Like