Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.
-
I have an existing environment with an untagged LAN and two VLANs. I have no control over one of the VLANS. With the exception of constant DHCP issues which I believe are a result of an inadequate DHCP server on an Sonicwall NSA 220, it is all working fine.
I have two issues and I think solving the DHCP server will resolve the second.
So you know what I am battling, I will outline the problems here:
- I often see IP conflicts in the NSA220 logs.
- I often do not get IP addresses served up for any devices even though there may be hundreds of available IPs in the pool.
- I have some Iphones that absolutely refuse to get an IP address if they are connecting to the network through a VLAN.
Problems 1 and 2 are always resolved by rebooting the SW NSA220.
If problem 3 is related to the SW NSA220 and VLAN, it may be resolved when I move the DHCP server to the Windows Server.
I have been studying the mostly incomplete or too complex or cisco based IP Helper information I can find and I thought I was doing great until it just doesn't work as I expect.
Here's what I have done so far:
Sonicwall -
Create new Virtual Interface on the LAN port called VLAN 10.
Turn On IP Helper
Turn On DHCP in IP Helper
Add a policy to send DHCP Requests to the Windows DHCP Server
In the Windows Server -
I have created a new scope
As I understand it, there is nothing special about the DHCP scope in the Windows DHCP Server because when the DHCP request arrives at the DHCP server, it will look at the gateway used inside the request and use that subnet to determine which DHCP pool to assign from.
It all seems so easy until it doesn't work!
-
First things first - did this ever work? or is this a new setup?
Is the sonicwall what is routing packets between VLANs?
If the sonicwall is routing packets between the VLANs, then it will need an interface in all the VLANs.
When you created the VLAN 10 interface on the X0 interface, did you also assign tagged VLAN 10 traffic to that port on the Cisco switch side?
-
Why are you moving DHCP to Windows from your SonicWall?
FYI - DHCP/DNS usage requires Windows CALs - i.e. if you are putting this on a guest network, technically you'll need licenses for every device that gets a DHCP address (company users should be covered by their user CAL, but guests would need one). This is why you should leave DHCP for any guest networks on something that doesn't costs licenses - like the Sonicwall.
-
@Dashrender said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
First things first - did this ever work? or is this a new setup?
It's been problematic since we moved the Guest WiFi to a VLAN. The more visitors, the more serious and aggressive the problem.
Is the sonicwall what is routing packets between VLANs?
Yes.
If the sonicwall is routing packets between the VLANs, then it will need an interface in all the VLANs.
There is only the non VLAN LAN (X0) and the VLAN (X0:10)
When you created the VLAN 10 interface on the X0 interface, did you also assign tagged VLAN 10 traffic to that port on the Cisco switch side?
When I mentioned Cisco above, it was only in reference of the documentation I found online. This environment is a Sonicwall acting as the router/firewall and all UniFi switches.
The sonicwall is plugged into port 48 on one of the switches and that port is set to the All profile.
Appreciate your time on this.
-
@Dashrender said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
FYI - DHCP/DNS usage requires Windows CALs - i.e. if you are putting this on a guest network, technically you'll need licenses for every device that gets a DHCP address
And I really appreciate this reminder! What a catastrophe that would have been!
-
@JasGot said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
There is only the non VLAN LAN (X0) and the VLAN (X0:10)
I should rephrase this. There is a VLAN 100 that is mostly isolated from the LAN and it is for the phones. They have their own dhcp server and PBX managed by someone else. (For now!)
-
@JasGot said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
The sonicwall is plugged into port 48 on one of the switches and that port is set to the All profile.
OK, so this is how the SonicWall can get access to the third VLAN physically, though since you don't have a second virtual port created on that connection on the SonicWall side, I don't see how the SonicWall is talking to that network.
Can you give us a bit more detail?
i.e. something like this
SonicWall
Internal
X0 - LAN (192.168.100.x/24) (DHCP - AD)
X0:10 - Guest (192.168.10.x/24) (DHCP - SonicWall)VLAN 3 - phones/VOIP (10.10.10.x/24) (DHCP - PBX)
*edit - After seeing your last post, I think the above is what you have.
-
@JasGot said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
@JasGot said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
There is only the non VLAN LAN (X0) and the VLAN (X0:10)
I should rephrase this. There is a VLAN 100 that is mostly isolated from the LAN and it is for the phones. They have their own dhcp server and PBX managed by someone else. (For now!)
Awww, so this network has not internet access at this time?
-
@Dashrender said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
OK, so this is how the SonicWall can get access to the third VLAN physically, though since you don't have a second virtual port created on that connection on the SonicWall side, I don't see how the SonicWall is talking to that network.
The Sonicwall has no interaction with that third VLAN (which is the phones). The phone talk to their own PBX, the PBX has two NICs, one for the phones, one on my LAN.
-
@Dashrender said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
Awww, so this network has not internet access at this time?
Correct, and should never have it.
@JasGot said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
The Sonicwall has no interaction with that third VLAN (which is the phones). The phone talk to their own PBX, the PBX has two NICs, one for the phones, one on my LAN.
-
@Dashrender said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
Can you give us a bit more detail?
i.e. something like this
SonicWall
Internal
X0 - LAN (192.168.100.x/24) (DHCP - AD)
X0:10 - Guest (192.168.10.x/24) (DHCP - SonicWall)
VLAN 3 - phones/VOIP (10.10.10.x/24) (DHCP - PBX)You are spot on.
I just mocked this up, does it help?
-
@JasGot said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
@Dashrender said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
OK, so this is how the SonicWall can get access to the third VLAN physically, though since you don't have a second virtual port created on that connection on the SonicWall side, I don't see how the SonicWall is talking to that network.
The Sonicwall has no interaction with that third VLAN (which is the phones). The phone talk to their own PBX, the PBX has two NICs, one for the phones, one on my LAN.
yeah, this is the way that many PBX vendors pretty much demand to be setup, though they can't really tell you why - they'll say "it's about ensuring traffic to the devices because of QOS", etc... but then - is QOS actually setup on your switches for the given VLAN?
But really, in modern networking, if you have to rely on QOS because of network congestion at the switch level, you should really be solving that problem, not using the bandaid of QOS.So with all that in mind, moving the PBX and phones onto the same VLAN as the production LAN should not be an issue - though, you will have to solve the DHCP issues since you'll likely not be using the PBX DHCP server, but instead either SonicWall or AD (you'll have to add some scope options) will be updated.
-
In your setup, you should not need an IP helper address. The Sonicwall is directly attached to both corporate LAN and guest LAN, so there is no routing of DHCP packets happening.
If DHCP is not being handed out - I would suspect the SonicWall is broken - is there a firmware update for it?
-
@Dashrender said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
In your setup, you should not need an IP helper address. The Sonicwall is directly attached to both corporate LAN and guest LAN, so there is no routing of DHCP packets happening.
Right, but if I move DHCP to another device, I will. (Even if not, I would still like to understand it better. Which for me, means making it work, then reverting to the original config.)
If DHCP is not being handed out - I would suspect the SonicWall is broken - is there a firmware update for it?
I'll check. But I think it is current. Don't forget, I also suspect it's the scenario that introduces the problem, which means it could be the IPhone, the Unifi, or the Sonicwall.
-
@Dashrender said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
I would suspect the SonicWall is broken
I read where the Sonicwalls have a hard time with complex DHCP configs and large pools. I'm consolidating and cleaning up right now. It'll be a few days before I see the changes in pool usage.
Someone said to use two /24 instead of a single /23 on the sonicwall. They said it behaves much better.
I may try that too.
-
@JasGot said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
@Dashrender said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
I would suspect the SonicWall is broken
I read where the Sonicwalls have a hard time with complex DHCP configs and large pools. I'm consolidating and cleaning up right now. It'll be a few days before I see the changes in pool usage.
Someone said to use two /24 instead of a single /23 on the sonicwall. They said it behaves much better.
I may try that too.
How are you using a single /23? that would be a single network... I could see you having two /23 networks, one for LAN and one for Guest, nothing should be wrong with that. You don't have to put the whole range into the DHCP available addresses either, you could limit it to say 100, or what actually fits your needs.
If you have more than 250 devices, using a /23 is every helpful, preventing you from needing to have multiple LANs of /24 and routing between them.
-
@Dashrender said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
How are you using a single /23? that would be a single network
X0 - 192.168.0.1/23 - LAN
X0:10 - 192.168.10.0/23 - VLAN -
@JasGot said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
@Dashrender said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
How are you using a single /23? that would be a single network
X0 - 192.168.0.1/23 - LAN
X0:10 - 192.168.10.0/23 - VLANOK - man, if the sonicwall has issues with that, I'd dump them.... well, I'd dump them anyway.
-
@JasGot said in Need to better understand IP Helper for accessing Windows DHCP Server from VLAN.:
Someone said to use two /24 instead of a single /23 on the sonicwall. They said it behaves much better.
Someone thinks that that hardware is garbage! I'm no fan, but I've never even hinted at a SonicWall being that bad. That's a serious level of not believing in the gear.
-
Off the top of my head, another option would be to throw a Pi with pihole directly on your vlan10 and have it do your DHCP as well as all of the pihole adblocking. Just food for thought. Looking at the setup, I'd also make sure that you don't have anything else on that vlan10 set as a dhpc server or with a dhcp-relay.
