Netgate SG-1000 microFirewall

Author Topic: Static local IP Addresses - Best practise?  (Read 260 times)

0 Members and 1 Guest are viewing this topic.

Offline rwillett

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Static local IP Addresses - Best practise?
« on: February 04, 2018, 11:47:40 am »
Hi,

We've just moved to pfsense from Smoothwall, we tried out pfsense and the networking logging clinched it for us.

Whilst we have no issues (so far) with pfsense, indeed it only took a few hours from scratch to get a working system, we're trying to work out the best practise for handling local internal static IP addresses.

In Smoothwall we would assign a static IP Address for a client on the client and log the static IP address in the Smoothwall DNS resolver. We might have 30 clients (they tend to be servers) that work like this. Other machine just get the normal DHCP treatment. These machines are all local non-routable machines with no incoming from the outside world.

We can't see a directly similar system in pfsense, we *think* the way to handle this is to use the DNS Resolver and use host overrides to give us some local DNS capability. The only downside we can see is that pfsense requires a FQDN to be set whereas Smoothwall allowed just the hostname. Not a big change for us.

Is this the best way to do this? Bind seems overkill for quite a simple static DNS system. We do know we can also assign static IP addresses from the DHCP server based on the Mac address. Not sure if this is the best way, so we'd welcome any thoughts on this.

Thanks again.

Rob

Offline kpa

  • Hero Member
  • *****
  • Posts: 1233
  • Karma: +138/-6
    • View Profile
Re: Static local IP Addresses - Best practise?
« Reply #1 on: February 04, 2018, 12:40:09 pm »
There's no such thing as a plain hostname in DNS, everything is completed to FQDNs for resolution and is then fed to the set forwarders. What smoothwall does I have no experience with but I'm pretty damn sure it doesn't resolve plain hostnames.

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1206
  • Karma: +53/-11
    • View Profile
Re: Static local IP Addresses - Best practise?
« Reply #2 on: February 04, 2018, 01:38:29 pm »
Aside from the DNS issues, there are 2 ways to assign a static IP.  One, just manually configure the address.  2nd, map the MAC address to an IP address in the DHCP server.  Whichever you use depends on your requirements.  For a portable device, I'd definitely go with DHCP mapping.

Offline rwillett

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Static local IP Addresses - Best practise?
« Reply #3 on: February 04, 2018, 03:45:40 pm »
I perhaps phrased how Smoothwall works inelegantly, you can enter simple hostnames and FQDN's and it will resolve either. I'm looking at the page now on my old Smoothwall server and we have a significant number just entered as a hostname. It may well be that under the covers Smoothwall makes them into a FQDN, but the user doesn't need to declare them as FQDN's and I could certainly do a DNS lookup just on the hostname. What it does deep down, I haven't bothered to check, so I assume it's doing the right thing and making it all work seamlessly.

Thanks for the help.

Rob

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1206
  • Karma: +53/-11
    • View Profile
Re: Static local IP Addresses - Best practise?
« Reply #4 on: February 04, 2018, 04:41:56 pm »
If you can use just a host, then there's a search domain providing the rest of the FQDN.  For example, if I were on the pfSense LAN, I could ping the FQDN forum.pfsense.org or just forum, provided the search domain pfsense.org had been configured.  I bet that's the case with Smotthwall.  PfSense can do that, with the host names specified on the DNS Resolver page and the domain name on the General Setup page.

Offline curtisgrice

  • Jr. Member
  • **
  • Posts: 66
  • Karma: +5/-0
    • View Profile
Re: Static local IP Addresses - Best practise?
« Reply #5 on: February 11, 2018, 08:53:05 am »
Aside from the DNS issues, there are 2 ways to assign a static IP.  One, just manually configure the address.  2nd, map the MAC address to an IP address in the DHCP server.  Whichever you use depends on your requirements.  For a portable device, I'd definitely go with DHCP mapping.

I would note from experience, if you want a static address on a server, set the static address on the server. You don't want your servers to go offline if there is a hiccup with dhcp when they try to renew their static mapping.
Slow code? Sounds like a good reason to buy more hardware!

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1206
  • Karma: +53/-11
    • View Profile
Re: Static local IP Addresses - Best practise?
« Reply #6 on: February 11, 2018, 10:15:54 am »
^^^^
Yep, that's why my main desktop system had a static config, but all other clients use mapped DHCP.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15189
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Static local IP Addresses - Best practise?
« Reply #7 on: February 11, 2018, 10:32:18 am »
Being worried about something going offline because your dhcp server is offline for your servers.. Hmmm.. Why not just run a longer lease.. If you ran a lease for 24 hours.. You would be sure - unless you rebooted them during your dhcp outage for good 12 hours..  Leases renew at the 1/2 mark normally, so any client should always be able to run for 1/2 of your lease time with dhcp server offline..

The advantage of running dhcp for stuff like servers via reservations is you can facilitate a change across a huge amount of devices with a simple dhcp change.. Say you want to point to different dns, or new gateway, or change your ntp server, etc. etc.. There are multiple options that can be handed out via dhcp that setting client to static would force you to touch that client on such changes.

Shoot you can change the IP range on your whole network with a simple dhcp server change without actually have to touch a device, etc.

If your worried about dhcpd going down - its also very simple to just run a failover setup for dhcp..   Couple of devices sure static right on the device.. But as you ramp up  the number of devices actually setting static on the clients becomes a PITA if something needs to be changed on the network.

As your network grows the only thing that should be static should be your routers/firewall server handing out dhcpd ;)

What is your current dhcp lease time?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline curtisgrice

  • Jr. Member
  • **
  • Posts: 66
  • Karma: +5/-0
    • View Profile
Re: Static local IP Addresses - Best practise?
« Reply #8 on: February 12, 2018, 05:06:40 pm »
Being worried about something going offline because your dhcp server is offline for your servers.. Hmmm.. Why not just run a longer lease.. If you ran a lease for 24 hours.. You would be sure - unless you rebooted them during your dhcp outage for good 12 hours..  Leases renew at the 1/2 mark normally, so any client should always be able to run for 1/2 of your lease time with dhcp server offline..

The advantage of running dhcp for stuff like servers via reservations is you can facilitate a change across a huge amount of devices with a simple dhcp change.. Say you want to point to different dns, or new gateway, or change your ntp server, etc. etc.. There are multiple options that can be handed out via dhcp that setting client to static would force you to touch that client on such changes.

Shoot you can change the IP range on your whole network with a simple dhcp server change without actually have to touch a device, etc.

If your worried about dhcpd going down - its also very simple to just run a failover setup for dhcp..   Couple of devices sure static right on the device.. But as you ramp up  the number of devices actually setting static on the clients becomes a PITA if something needs to be changed on the network.

As your network grows the only thing that should be static should be your routers/firewall server handing out dhcpd ;)

What is your current dhcp lease time?

I do agree with this for larger environments. There a still a number of cases where static is a must (at least for me), in fact there are a number of services that require it. Of course as with may things in IT, there is no one right answer or one solution to rule them all.
Slow code? Sounds like a good reason to buy more hardware!