This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DHCP reservations

I am going from a Windows Server DHCP to our Sophos Firewall.

Am I to understand that the Sophos Firewall does not do static IP reservations? Or at least does not do it in the same manner as Windows does?

Does the reserved IP have to be outside of the lease pool?



This thread was automatically locked due to age.
Parents
  • Hi Tye - not sure why SOPHOS haven't changed this to act like most DHCP servers. I have a solution, however a little inelegant.

    You can split the DHCP pool to either side of the already assigned IP from DHCP that you would like to statically MAP.

    EG:

    Do you see how that is done? It's not the prettiest solution and would get quite messy if you have a lot of static DHCP reservations that you want to map, but it does the job.

    If you have any questions, let me know - happy to help.

Reply
  • Hi Tye - not sure why SOPHOS haven't changed this to act like most DHCP servers. I have a solution, however a little inelegant.

    You can split the DHCP pool to either side of the already assigned IP from DHCP that you would like to statically MAP.

    EG:

    Do you see how that is done? It's not the prettiest solution and would get quite messy if you have a lot of static DHCP reservations that you want to map, but it does the job.

    If you have any questions, let me know - happy to help.

Children
  • On the contrary, the non-Sophos way of doing things makes little sense. You are "reserving" IP addresses within a "dynamic"  range? Huh? That's like a double-negative. "I'm assigning non non-dynamic addresses", or something like that.

    Rather, there are actually dynamic ranges and static ranges. Static IP addresses can be self-assigned, assigned by other servers/services, or they can be assigned by the XG's DHCP server, from addresses NOT being served dynamically.

    Dynamic addresses are dynamically served by the XG's DHCP server from a designated pool (a range or ranges) of IP addresses. 

    Simple. The other way of doing it is illogical, though it is convenient if you willy-nilly start reserving dynamic addresses on-the-fly so you have a patchwork -- like you describe above -- where you have to make lots of single-IP holes in Sophos' dynamic ranges. If you planned your network, you would maybe have three ranges: low (or high) reserved for self-assigned static IP addresses like the XG, a dynamic range for freelance devices, and a static range for official devices. That static range might be served by the XG ("reserved" IPs) or by other devices on the network that you don't want your XG to compete with.

  • I agree that, logically, the unique way SOPHOS has implemented DHCP server settings is rational, however it's not as useful as the rest of world's vendors implementations - and why be different just so you can argue for "correctness" if you're making it harder to use the product. The ability to take a DHCP assigned address and then map it so that the device receives the same IP address is, well, just useful. It IS a dynamic address, just reserved and assigned each time to the same MAC - I wouldn't conflate it with a true reserved static address - one requires planning and the other doesn't and both have their place.

  • Yes. But I would argue that the one that doesn't require planning essentially doesn't have a place. It clutters and fragments your address space with arbitrary decisions making it harder to have any sense of what's actually going on.

    I have a relatively small network, but every device that is not on the Guest network has a static IP address that's managed by the Sophos DHCP server. On the non-Guest subnets, there are small dynamic ranges which are how I make it easier: you get on the WiFi and your device will get a dynamic address. The main point being that I can now copy/paste your MAC address into the DHCP server and assign you an IP that makes sense. Maybe I care about rebooting the new device so that it has the IP I want, maybe I let it switch when the lease expires. I'm flexible.

    So that way I immediately know if a device is on my network that I don't know about, since it has an IP in the dynamic range.

    I also use clientless users so that every machine has a user ID. (This part could be made easier rather than as a separate step, for sure.) And almost all of my firewall rules require a user ID for packets to get through. So something that just gets plugged in or jumps onto the WiFi will: a) immediately stand out based on its IP, and b) won't be able to get anywhere.

    It feels like the "click to freeze this random address" approach is quicker, but it feels like a boa constrictor on my neck: slowly handing out "permanent" IPs willy-nilly until the point that there's a boatload of work to be done to get on a plan. Instead of a few seconds more work but a setup that is never confusing and never needs additional work.

    It's arguably more "correct" in an abstract/principle sense, but also easier in the long run.