I am going from a Windows Server DHCP to our Sophos Firewall.
Am I to understand that the Sophos Firewall does not do static IP reservations? Or at least does not do it in the same manner as Windows does?
Does the reserved IP have to be outside of the lease pool?
Hi Tye Bennett,
The Sophos Firewall does not have DHCP reservations in the traditional sense. You can create a Static IP MAC mapping but it would have to be outside of the dynamic IP lease pool.
Have a read at this related Community post for other ideas: DHCP Reservation option
It is also important to mention that To avoid an IP address clash between regularly assigned addresses from the DHCP pool and those statically mapped make sure that the latter are not in the scope of the DHCP pool.
For example, a static mapping of 192.168.0.200 could result in two systems receiving the same IP address if the DHCP pool is 192.168.0.100 – 192.168.0.210.
I don't understand from your explanation or the linked post how this isn't a reservation in a traditional sense. There are static IP addresses and dynamic IP addresses. "Reserved" IP addresses are static. In Sophos' case, they logically say that you can't have a static IP address that's also a dynamic IP address. I guess someone could define "reserved" to mean "in the dynamic range, but actually static"?
From a user perspective, it's transparent. Is there an Admin aspect to it that makes things harder? Or is this just "Sophos doesn't work like Microsoft" issue? I'm satisfied with it. (I think some folks don't realize that you can have multiple dynamic ranges by clicking the "+", so if you want some "reserved" addresses in the middle of a dynamic range, you can do that.)
Hi Wayne Folta,
I just mean that traditionally DHCP reservations are reserved IP's within a scope. No need to create gaps in the dynamic lease pool to insert a static IP.
In essence, the Sophos Firewall achieves the idea of DHCP reservations also, just done in a different manner -- via static / dynamic assignments like you mentioned, and can very well be in the "same range" as you explained in the Community post linked.
Hi Tye - not sure why SOPHOS haven't changed this to act like most DHCP servers. I have a solution, however a little inelegant.
You can split the DHCP pool to either side of the already assigned IP from DHCP that you would like to statically MAP.
Do you see how that is done? It's not the prettiest solution and would get quite messy if you have a lot of static DHCP reservations that you want to map, but it does the job.
If you have any questions, let me know - happy to help.
On the contrary, the non-Sophos way of doing things makes little sense. You are "reserving" IP addresses within a "dynamic" range? Huh? That's like a double-negative. "I'm assigning non non-dynamic addresses", or something like that.
Rather, there are actually dynamic ranges and static ranges. Static IP addresses can be self-assigned, assigned by other servers/services, or they can be assigned by the XG's DHCP server, from addresses NOT being served dynamically.
Dynamic addresses are dynamically served by the XG's DHCP server from a designated pool (a range or ranges) of IP addresses.
Simple. The other way of doing it is illogical, though it is convenient if you willy-nilly start reserving dynamic addresses on-the-fly so you have a patchwork -- like you describe above -- where you have to make lots of single-IP holes in Sophos' dynamic ranges. If you planned your network, you would maybe have three ranges: low (or high) reserved for self-assigned static IP addresses like the XG, a dynamic range for freelance devices, and a static range for official devices. That static range might be served by the XG ("reserved" IPs) or by other devices on the network that you don't want your XG to compete with.
I agree that, logically, the unique way SOPHOS has implemented DHCP server settings is rational, however it's not as useful as the rest of world's vendors implementations - and why be different just so you can argue for "correctness" if you're making it harder to use the product. The ability to take a DHCP assigned address and then map it so that the device receives the same IP address is, well, just useful. It IS a dynamic address, just reserved and assigned each time to the same MAC - I wouldn't conflate it with a true reserved static address - one requires planning and the other doesn't and both have their place.
I too am finding out how different the platforms from SG series to XG series really are!!
In SG, you could have a dynamically assigned IP to an endpoint and within the options you could designate to "keep" that IP, despite it still being in the pool.
Why would anyone do this and not just statically assign something outside of the pool?
Simple, you may have a vendor's printer or kiosk you have no admin access for, but you've set up workstations to use that particular IP on said device. It was a great solution to quickly segment the IP from the pool to never be used for another device despite downtime or power outage for a range of time; now that I've replaced the SG with an XG, I have the same printer that I don't have access for, thus I can't quickly designate the IP without the vendor interaction now. I was hoping that feature was still available,
lol so far the only thing similar about SG/XG is that they are both made by Sophos!!! I mean, can't even 1:1 NAT on XG either :) ah growing pains
Yes. But I would argue that the one that doesn't require planning essentially doesn't have a place. It clutters and fragments your address space with arbitrary decisions making it harder to have any sense of what's actually going on.
I have a relatively small network, but every device that is not on the Guest network has a static IP address that's managed by the Sophos DHCP server. On the non-Guest subnets, there are small dynamic ranges which are how I make it easier: you get on the WiFi and your device will get a dynamic address. The main point being that I can now copy/paste your MAC address into the DHCP server and assign you an IP that makes sense. Maybe I care about rebooting the new device so that it has the IP I want, maybe I let it switch when the lease expires. I'm flexible.
So that way I immediately know if a device is on my network that I don't know about, since it has an IP in the dynamic range.
I also use clientless users so that every machine has a user ID. (This part could be made easier rather than as a separate step, for sure.) And almost all of my firewall rules require a user ID for packets to get through. So something that just gets plugged in or jumps onto the WiFi will: a) immediately stand out based on its IP, and b) won't be able to get anywhere.
It feels like the "click to freeze this random address" approach is quicker, but it feels like a boa constrictor on my neck: slowly handing out "permanent" IPs willy-nilly until the point that there's a boatload of work to be done to get on a plan. Instead of a few seconds more work but a setup that is never confusing and never needs additional work.
It's arguably more "correct" in an abstract/principle sense, but also easier in the long run.
William Cannell said:Why would anyone do this and not just statically assign something outside of the pool?
Well said. It's not practical the way this is implemented. Every other vendor on the planet allows assigning a reservation to an allocated DHCP address.