DHCP server at Windows SBS2011 or SonicWall?
Hi,
I just inherited a network that has a Windows Small Business 2011 Server and a Sonicwall TZ400. I like the Sonicwall but not a fan of the SBS 2011. The network is a mess. Everything is all on one subnet including the guest WiFi clients! Not only is this a security concern, they're also running out of IP addresses. They have Ubiquiti UniFi access points. I setup tagging traffic (VLAN id 10) coming from the guest WiFi SSID. But, the server is setup as the DHCP server. And, all the clients have static IPs and they're statically set to point to the SBS2011 for DNS. I set the Sonicwall to enable DHCP on traffic tagged with VLAN ID10. But, the WiFi traffic doesn't seem to be making it to the SonicWall for DHCP as any device on the guest WiFi doesn't get an IP address. I'm looking for advice for what the best direction would be to go. The owner doesn't have the resources to replace the SBS2011 at the time so I have to work with what I have. Would it be best to disable DHCP on the SBS2011 and enable it fully on the Sonicwall (instead of only enabling it on VLAN ID10)? Any other suggestions? Thanks for your advice!
I just inherited a network that has a Windows Small Business 2011 Server and a Sonicwall TZ400. I like the Sonicwall but not a fan of the SBS 2011. The network is a mess. Everything is all on one subnet including the guest WiFi clients! Not only is this a security concern, they're also running out of IP addresses. They have Ubiquiti UniFi access points. I setup tagging traffic (VLAN id 10) coming from the guest WiFi SSID. But, the server is setup as the DHCP server. And, all the clients have static IPs and they're statically set to point to the SBS2011 for DNS. I set the Sonicwall to enable DHCP on traffic tagged with VLAN ID10. But, the WiFi traffic doesn't seem to be making it to the SonicWall for DHCP as any device on the guest WiFi doesn't get an IP address. I'm looking for advice for what the best direction would be to go. The owner doesn't have the resources to replace the SBS2011 at the time so I have to work with what I have. Would it be best to disable DHCP on the SBS2011 and enable it fully on the Sonicwall (instead of only enabling it on VLAN ID10)? Any other suggestions? Thanks for your advice!
DrDave242
It doesn't matter too much which device on the network is the DHCP server, as long as the above remains true. The domain-joined SBS clients really must use the SBS server as their only DNS server.
-->Would it be best to disable DHCP on the SBS2011 and enable it fully on the Sonicwall (instead of only enabling it on VLAN ID10)?
If you want you can just use DHCP for the guest, For your internal users/network it is better to use Windows DHCP (SBS DHCP) for many reasons.
https://www.experts-exchange.com/questions/26199432/Switching-DHCP-from-domain-controller-to-the-Router.html
https://www.experts-exchange.com/questions/27187138/DHCP-and-DNS-Server-Vs-Firewall-Router.html
Windows DHCP:-
Integrates into DNS
Full range of settings available of client side settings can be defined
Ability to use multiple scopes/superscopes/classID
Integrates with RRAS\VPN server
Can have multiple servers (Backup)
Variable lease options
Reservations
Options available at reservation, scope and server level
Integrated Loging and Managemnt
If you want you can just use DHCP for the guest, For your internal users/network it is better to use Windows DHCP (SBS DHCP) for many reasons.
https://www.experts-exchange.com/questions/26199432/Switching-DHCP-from-domain-controller-to-the-Router.html
https://www.experts-exchange.com/questions/27187138/DHCP-and-DNS-Server-Vs-Firewall-Router.html
Windows DHCP:-
Integrates into DNS
Full range of settings available of client side settings can be defined
Ability to use multiple scopes/superscopes/classID
Integrates with RRAS\VPN server
Can have multiple servers (Backup)
Variable lease options
Reservations
Options available at reservation, scope and server level
Integrated Loging and Managemnt
ASKER
Thanks DrDave.
MAS, I was thinking about continuing to use Windows DHCP but do you know if there's a way to have the tagged traffic go to another subnet?
MAS, I was thinking about continuing to use Windows DHCP but do you know if there's a way to have the tagged traffic go to another subnet?
You have couple of options.
Option1.
Create a VLAN/interface for guests and enable DHCP for that interface/VLAN and block access to internal network.
Create one more interface/VLAN for servers and have a route between these VLANs. i.e. Local-VLAN to Server Vlan and viceversa.
One VLAN (existing) for all your users and let SBS lease IPs for them.
Option2.
Create a VLAN/interface for guests and enable DHCP for that interface/VLAN and block access to internal network.
One VLAN for for both server and users and let SBS lease IPs for the users.
I suggest you hire a consultant who is experienced, Let them do it for you. (Only if you can afford)
Option1.
Create a VLAN/interface for guests and enable DHCP for that interface/VLAN and block access to internal network.
Create one more interface/VLAN for servers and have a route between these VLANs. i.e. Local-VLAN to Server Vlan and viceversa.
One VLAN (existing) for all your users and let SBS lease IPs for them.
Option2.
Create a VLAN/interface for guests and enable DHCP for that interface/VLAN and block access to internal network.
One VLAN for for both server and users and let SBS lease IPs for the users.
I suggest you hire a consultant who is experienced, Let them do it for you. (Only if you can afford)
ASKER
Thanks MAS for these recommendations. I'm not very familiar with SBS 2011 so I looked up how to setup a VLAN on this OS. It looks like the way to setup VLAN in a Windows Server OS is to enable NIC Teaming. But Microsoft says that SBS 2008 and 2011 don't support NIC Teaming. Is there another way to setup this option in SBS 2011 or should I consider another route? Thanks again for your help!
-->Is there another way to setup this option in SBS 2011 or should I consider another route?
You have to create VLAN/Interface in your firewall. If you have a L3 switch that will be recommended method.
If you want to configure routing on Windows you need to have RRAS server 2016 which routes the packets between VLANs
You have to create VLAN/Interface in your firewall. If you have a L3 switch that will be recommended method.
If you want to configure routing on Windows you need to have RRAS server 2016 which routes the packets between VLANs
ASKER
They have a hodge-podge of switches. Two unmanaged switches and one L3 switch that the PoE access points plug into. But, when I was out, I tried to connect into the console port on it (old Dell PowerConnect) but the console port wasn't responding on the serial adapter. There was tape stuck to the back of it that said "console port bad". So, I'm stuck with 2 unmanaged switches and one managed switch with a bad console port. The SonicWall TZ400 is the best part of their network. I have an interface setup on it for VLAN ID10 and DHCP setup for that interface but any device that connects to that guest network are unable to connect to that DHCP server (clients get the 169... IP).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That makes sense. I should add an access rule to the firewall such as this:
Seems correct. :))
Only you know what are the names/interfaces configured.
Only you know what are the names/interfaces configured.
ASKER
That fixed the problem. Thanks MAS! You're a genius! Guests are happy again! Have a great week!
Glad to know you fixed and I could be of help. :))
Please be safe and glad to help you again.
MAS
Please be safe and glad to help you again.
MAS