Go Premium for a chance to win a PS4. Enter to Win


Firewall as DHCP

Posted on 2006-07-09
Medium Priority
Last Modified: 2012-05-05
Hi all.

Currently we have a DSL modem that is connected to a SOHO Watchguard Firewall that in turns feeds our three netgear switches and hence our workstations and four servers.

The SOHO was setup as the DHCP so I am assuming it is assigning the IP's.

There are times when our Internet goes down, our network also goes down, in other words when there is no internet we can not access any network folders. Is this because the firewall is the DHCP and is connected to the switches?

If so, should we make our domain controller the DHCP and not firewall.

Thank you in advance.
Question by:printmedia
  • 5
  • 4
  • 2
  • +3
LVL 77

Expert Comment

by:Rob Williams
ID: 17070007
I doubt the fact that the SOHO unit is the DHCP server would take down the network, however....
-Are you aware the WatchGuard SOHO's require licenses? The base unit has 10 licenses and the 11th user to connect will be denied access? I don't recall if it denies a DHCP address or just Internet access, but worth looking into. Additional licenses can be purchase
-As for making your Domain controller the DHCP server, that is definitely a good idea. The server allows you far greater control over scope options, and enabling DHCP will also allow for dynamic updates to DNS. When doing so make sure you disable DHCP on the router, and on the server and PC's have all point only to your internal DNS server for DNS. Add the ISP's DNS only as a forwarder in DNS, do not add the ISP's DNS to any NIC's. In the DHCP scope options you should also add option #003 your router/default gateway address, #006 your internal DNS server, #044 WINS if using it, and #015 your local DNS domain name such as yourcompany.local
-are there any errors logged in the event viewers of the PC's or DC when the "network goes down"
LVL 10

Expert Comment

ID: 17070376
I have a watchguard with the same problems (but mine is setup static). It works at times, then goes down randomly. I've completely cleared the settings, started from scratch several times. It starts working for about a week then goes down again (or even after a day or two). Watchguard's tech support also sucks and take on average 2-4 hours (or longer) to call you back. Although mine seems to work on a cable modem (with DHCP) but once I hook it up to the DSL modem at the office it just goes to S**T again after a while.

Personally I will never buy another watchguard again. Probably not the answer you're looking for but just thought I'd add my 2 cents.


Expert Comment

ID: 17072148
I dont think the problem is the firewall - it wouldnt make sense for you to stop being able to access network folders whatever the firewall is playing at.

It seems more likely to me you have a problems with one of your switches. - do any of them display any non-usual light activity when the problem occurs?
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

LVL 12

Expert Comment

ID: 17075770
Agree with RobWill...

I dont think DHCP would alone cause this problem. What do you have for your DNS server? Ideally you want your domain controller to do DHCP and DNS. If you have a second server, the second server can do ackup DNS. If you have any DNS entries pointing to your cable modem or soho, this could cause the network to come down if them devices go down.  

* PS - I have a X500 with fireware working fine. The watchgaurd forums i have found are actually pretty good - instead of waiting a few hours for tech support overseas. You may have to go there to find any bugs with your watchgaurds OS. I found a few with mine. If not, start out with the least number of features enabled/configured and slowly add to them. Watchgaurd errors on the side of being too secure (unstable?) by default.

Author Comment

ID: 17076257
Thanks for the reply NetAdmin.

Currently our Domain Controller (Windows 2000 Server) is our DNS server and the SOHO Watchguard has the DHCP feature enabled.

Our workstations have the Domain Controller's IP address saved in the TCP/IP Settings under the "Use the following DNS server addresses" option.

If they don't have that then they tend to not connect to the network correctly, I don't know why.

And we will be making our Domain Controller the DHCP server as well soon.

As far as recreating the situation where the Internet goes down and our network goes down I will have to do that during off hours, hopefully after we switch the DHCP server it will be ok.
LVL 77

Expert Comment

by:Rob Williams
ID: 17076356
>>"Our workstations have the Domain Controller's IP address saved in the TCP/IP Settings under the "Use the following DNS server addresses" option."
I assume you do not also have the ISP's DNS listed here as well. It shouldn't be.

>>"If they don't have that then they tend to not connect to the network correctly, I don't know why."
This may be resolved when DHCP is switched to the server.

For the record we have had great luck with the WatchGuard SOHO's, but I must say the one occasion I needed tech support, it was 36 hours for a response, even with all units (5)  having a paid support contract.

Author Comment

ID: 17076574
The ISP's DNS is on the Domain Controller/DNS Server TCP/IP settings.

Is it difficult to set up a domain controller/dns server as a DHCP server?

Why should the same server be all three: Domain Controller, DNS and DHCP server?
LVL 77

Accepted Solution

Rob Williams earned 1000 total points
ID: 17076746
>>"The ISP's DNS is on the Domain Controller/DNS Server TCP/IP settings."
This may be part of the problem. All network adapters on the server and workstations should only have your internal DNS server listed as a DNS server. The ISP's DNS should only be listed as a forwarder in the DNS configuration. If you add the ISP's DNS anywhere else, even as the secondary DNS, sometimes local DNS will look to the Internet and fail.
To add to the forwarders, open the DNS management console, click on the server, in the right window there should be a series of folders/links. Right click on Forwarders and choose properties. On the forwarders tab under "selected domain's forwarder IP_address list" add your ISP's DNS servers and click apply.
Make sure you remove the ISP's DNS from the NIC, and reboot the server or from a command line enter:
ipconfig  /flushdns
ipconfig  /registerdns
(note: if the above forwarders is missing or grayed out, let us know and we can tell you how to change/fix)

>>"Is it difficult to set up a domain controller/dns server as a DHCP server?"
Not at all, if it is a basic configuration with a single scope/range, which I assume it is if you are using the router.
Simply open the "Manage your server" console, and choose add or remove a role, then choose DHCP server and it will walk you through it. Once done you can open the DHCP management console in administrative tools.
I don't remember if it initiates the service with the wizard or not, but on the server there should be a little green dot. If not, right click on the server and choose authorize.  By the way, the DHCP service will shut down if it finds another DHCP server on the network. You can restart the service in the services management console.
Also when it is set up you should confirm the scope options, I suggested above (003, 006, 015, 044). In the DHCP management console expand the server, then the Scope, right click on the scope options (may have to click twice)and choose configure options. Here you can make any changes or additions.

>>"Why should the same server be all three: Domain Controller, DNS and DHCP server?"
Central management. Also enabling DHCP on the server allows it to automatically update DNS records for the DHCP clients.

Following is a copy of an earlier post of mine that may be helpful:
Assuming you have completed the server installation, installed Active Directory, and joined the workstations to the Domain, make sure DNS is configured as follows, assuming a single network adapter:
-The server's NIC should be configured with a static IP, the Internet router as the gateway, and only the server itself as the DNS server. Do not use an ISP DNS server here
-Each workstation should be configured using DHCP (obtain and IP address and DNS automatically) or if configured with static addresses; a static IP in the same subnet as the server, same subnet mask as the server, the gateway pointing to your Internet router, and the DNS server pointing ONLY to the server/domain controller. Again do not put an ISP's DNS server here
-In the DNS management console under Administrative tools, right click on the server name and choose properties. On the Forwarders tab add your ISP's DNS servers
-If the workstations are using DHCP, open the DHCP management console on the server under Administrative tools and click on the server name to expand it, click on the scope to expand it, right click on scope options and choose configure options. On the general tab add the Internet router's IP in #003 router, the server's IP in #006 DNS Servers, and the domain name and suffix under #015 such as mydomain.local
-If  DHCP is enabled on the router, rather than the server, it should really be disabled on the router and configured on the server. Enabling DHCP on the server allows for dynamic updates to DNS
-The DHCP client service should be running on servers and workstations even where you are not using DHCP assignments. The DHCP client service controls the dynamic DNS updates

If you have been having DNS problems, on the workstations that have been having problems you should clear the DNS cache by entering at a command line  
  ipconfig  /flushdns
and then
  ipconfig  /registerdns


Expert Comment

ID: 17076869
fwiw I really think the wrong tree is being barked up here.

The pc's are using DNS on the server to resolve lan pc names, and are assigned a dhcp address which by default will probably be assigned for 3 days or so, so you could throw the firewall out the window and you should still be able to access network shares - the LAN shouldn't go straight down. (yes rebooted pc's will lose connectivity - but not immediately)

If the connectivity between the machines goes down *at the same time as the internet goes down* its probably the device connecting the whole lot together.

I wholeheartedly agree though, it would be better to run DHCP on the server.

Next time it goes down, do an ipconfig on a workstation that can't access shares - if you still have a valid IP, try pinging your server by IP - if you can't its almost certain its a switch problem.

Expert Comment

ID: 17083450
Win 2k domain really doesn't work well unless it's the primary domain controller (just an aside).  And if your soho goes down, seems like you lose 2/3 of your network at least, as well as probably a bunch of LAN access.  The computers should always be able to find other computers on the same switch (those requests are layer-2, dns independent), but from the sounds of it, when your soho goes down, your workstations may lose connection with your 4 servers, hence, no LAN.

my advice, get your network completely on switch, only one connection from the whole network to the soho, then your network and your internet become independent.

- dan.

Author Comment

ID: 17089982
The way our network is setup now is:

DSL Router --> SOHO Watchguard --> Netgear Switchbox 1 --> Netgear Switchbox 2 --> Netgear Switchbox 3
LVL 77

Expert Comment

by:Rob Williams
ID: 17090778
You had asked about DHCP on the server vs. WatchGuard initially, thus all of the information regarding that. I am doubtful, as others have stated, that that is "taking down" the network. I would however check the licensing issue as mentioned for the WatchGuard, especially if your servers use DHCP to obtain an IP (they shouldn't).
-Do you have a spare switch that you could swap with an existing switch for a time to see if it might be the switch?
-there was a 3-4-5 rule for hubs that changed with switches such that I don't believe you can properly daisy chain 3 switches without reduced performance or occasional problems. Can you change the configuration to:
DSL Router --> SOHO WatchGuard --> Netgear Switchbox 1 --> Netgear Switchbox 2
                                                                     \---------------> Netgear Switchbox 3
-wiring can cause all sorts of problems. Even if you have a connection you may not have trouble free wiring. It might be worth getting an independent contractor to come in and certify your network cabling with a proper test instrument such as a Fluke DSP.
LVL 12

Assisted Solution

NetAdmin2436 earned 1000 total points
ID: 17091125
If you think it's your switches....An easy visual check is go to the networking closet/room and look at the led lights. Are the lights running constantly? is your uplink port a steady light?

You should have 1 GB uplinks from switch to switch, for networking best practices and results. If you only have 10/100 uplinks from switch to switch, then bottlenecks may occur. For example, if you have a 24 port switch using a 10/100 uplink to the next switch, you have 24 users sharing a 10/100 port to your netgear switchbox 1. To make it worse, if you daisy chain netgear switchbox 3, your adding even more users to share the 10/100 uplink to your netgear switchbbox 1. Depending on what your company does, this can slow things down (ie...just email and internet or doing more intensive CAD, videos over the network, ect..). To re-interate what RobWill's diagram is showing...from each switch you should have an uplink to your netgear switchbox 1 (main switch). Typically, you want all of your servers on this main switch as well. And yes, If you can upgrade and get all your network on 1 switch that's all the better. The less number of switches the better.

Author Comment

ID: 17091309
I will give that a shot. Thanks for all your help!
LVL 77

Expert Comment

by:Rob Williams
ID: 17091354
Thanks printmedia. Lots to work on there :-)
Good luck.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question