Multiple DHCP in subnet breaks P2P mapped drive and network drives

[Guest]

This is an FYI. For months, users running peer-to-peer (P2P) programs using
central server mapped drives (aka network drives) would periodically
disconnect. This wreaks havoc with many programs including Outlook, ACT!, and
other P2P programs. But the shared drived always appeared under My Computer.
This went on with me trying almost anything. I found nothing on the net
describing effective solutions. Finally found the problem.

We have a corp router running DHCP. We put a wifi router (which needs its
own DHCP for new wifi connections) on the net connecting the routers together
(not using the WAN). We ensured the DCHP servers did not overlap. This broke
the reliable operation of the net. When we pulled the wifi router off the
local subnet, everything became reliable again. After months of people
crashing dozens of times per day.

In the future, I recommend only a single router DHCP per subnet. Wifi
routers should be connected with the WAN to the LAN, and the wifi should get
its own subnet. Best practices anyway as firewall exists between the wifi
subnet and the corp LAN.

Argggg.

 

[Richard G. Harper]

Yes, that's an inherent problem because of the way DHCP works. When a
device wants an address it sends a broadcast message looking for any DHCP
server and the first one to respond gets to hand out the address. You can
make it work by splitting your range (for example, one DHCP server gets to
hand out addresses in the 192.168.1.1 to 192.168.1.120 range, the other one
from 192.168.1.121 to 182.168.1.255) but it's more work than it's worth
unless you really need two DHCP servers.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Phillip Windell]

In the future, I recommend only a single router DHCP per subnet. Wifi
routers should be connected with the WAN to the LAN, and the wifi should get
its own subnet. Best practices anyway as firewall exists between the wifi
subnet and the corp LAN.

The best thing is to not use a WiFi "router" to begin with unless it is at
the network's "Edge" and serves NAT for the LAN. You should use a WiFi
Access Point (WAP) instead, which does not do NAT or DHCP, but is merely the
equivalent of a Wireless "hub". You can add as many of these as you want to
a LAN by just plugging them into any Hub or Switch and it won't effect the
LAN at all.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

 

[Guest]

Hi Richard,

Thanks for your response. The point is that I *did* properly divide the two
DHCP servers to only assign non over-lapping IP addresses. And it *still*
broke the mapped/network drives. I thought as long as they didn't overlap
there'd be no problem, but that is not the case.

I'm still not sure why, but I saw something that indicated that Windows 2000
does some automatic smart DNS updating, and the multiple DHCP could have been
messing it up.

The lesson learned is, partioned DHCP servers on a single subnet can cause
very difficult problems.

cheers,
phil...

 

[Guest]

Hi,

Thanks for your email. I originally was attempting to set the unit up as a
wifi access point only using the wifi router I had. If I had disabled DHCP,
that would be fine.

But I was lazy trying to set up an access point. I believe that a wifi
access point should always (IMHO) be replaced with a router with NAT. For a
few reasons. Using the corp DHCP for wifi users is a security hole, and on
the same subnet all network ID chatter is being broadcast to the world. Also,
wifi security is so weak (see recent IEEE Spectrum articles). Wifi users need
DHCP, by definition almost, and having their own subnet with DHCP segments
them from the corp netword. Ans NAT can provide additional routing security
if pass-through is required.

cheers,
phil...

 

[Phillip Windell]

Hi,

Thanks for your email. I originally was attempting to set the unit up as a
wifi access point only using the wifi router I had. If I had disabled DHCP,
that would be fine.

But I was lazy trying to set up an access point. I believe that a wifi
access point should always (IMHO) be replaced with a router with NAT.

No. Not all use NAT for one thing. Some use Proxying which is a different
technology and method. I would never replace a $4,000.00 ISA Server with a
$80 WiFi NAT box because I wanted to have Wifi Clients.

few reasons. Using the corp DHCP for wifi users is a security hole,

No it is not. DHCP on a Windows Server is more secure and more capable then
one a simple NAT Device. Windows DHCP can easily grant address to multiple
subnets with completely different settings given out to the clients

and on the same subnet all network ID chatter is being broadcast to the

world.

No it is not broadcasted to the world. The WAP has to first be connected to
by the client, and second a WAP should never be hooked up without security
such as WEP or WPA so that the "world" can never connect to it. Now if it
is specifically meant to be a "Public WAP", then yes it should be a
different subnet and controlled with ACLs

Also,

wifi security is so weak (see recent IEEE Spectrum articles). Wifi users need
DHCP, by definition almost, and having their own subnet with DHCP segments
them from the corp netword.

They say that about every security method that has ever been invented once
the technology reaches about 6 months of age. The only "real" security is
to not have a computer at all and never write anything on paper and never
write a paper check because your bank account number, bank tracking number,
bank name & address, your name, address, phone, sometimes driver's license
number all on on every check. I could do a lot more to you by having you
write me a check than I could ever do fooling with your WAP.

Ans NAT can provide additional routing security if pass-through is

required.

What "pass though"? NAT is not even technically "routing" so I don't know
what you are referring to here.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

 

[Guest]

Hi Phil,

No. Not all use NAT for one thing. Some use Proxying which is a different
technology and method. I would never replace a $4,000.00 ISA Server with a
$80 WiFi NAT box because I wanted to have Wifi Clients.

I was not entirely clear. I think wifi should have DHCP (I think we agree on
that, no nailed IP for users trying to easily pop on). I said my lesson
learned was that wifi should always have its own router (assumed with some
firewall, routing control, and NAT) in its own wifi subnet. In this way,
access from the wifi subnet to the corp network starts with no access, unless
rights are granted. Good variants also exist (wifi in the DMZ). The ISA
server for $4K is great and stays great. That was my point also.

No it is not. DHCP on a Windows Server is more secure and more capable then
one a simple NAT Device. Windows DHCP can easily grant address to multiple
subnets with completely different settings given out to the clients.

Wifi users using corp DHCP require access to corp network resources. I'd
prefer segmenting them to their own space until everyone is assigned IP, then
control with wifi router and/or corp router firewall rules.

world.
No it is not broadcasted to the world. The WAP has to first be connected to
by the client, and second a WAP should never be hooked up without security
such as WEP or WPA so that the "world" can never connect to it. Now if it
is specifically meant to be a "Public WAP", then yes it should be a
different subnet and controlled with ACLs.

Again, different strategies for security. Segmenting to restrict access to
data is stronger security than relying upon WEP/WPA alone. Most everyone I
know feels OK about it, but I think why transmit it if it isn't needed?

Also, wifi security is so weak (see recent IEEE Spectrum articles). Wifi users
need
They say that about every security method that has ever been invented once
the technology reaches about 6 months of age. <other good points deleted for brevity>

I had taken that position also until recently. If I can easily restrict
possible wifi security holes through other means, I don't see why it isn't a
best practice. Need-to-know is a good basic rule for security unless the cost
gets far too high.

required.
What "pass though"? NAT is not even technically "routing" so I don't know
what you are referring to here.

My bad. Shortcutted a router with firewall abilities including routing
controls. I like the comfort of a firewall between wifi and my LAN. There are
a lot of phreaks out there hacking on wifi. If you think your router password
and WEP/WPA and the keys are good enough, then so be it. But is that the best
security you can get? Is another topology more secure and not really harder?

No religion on any of this. I'm just slogging through trying to use best
practices. The intent of my original posting was to provide web searchable
pointers to the problem I had. I was too dense on this, and since I
discovered the problem, consultant friends have confirmed the multiple DHCP
problem with W2K server operation. Haven't found anything on the MS website
describing this though...

cheers,
phil...

 

[Phillip Windell]

I was not entirely clear. I think wifi should have DHCP (I think we agree on
that, no nailed IP for users trying to easily pop on). I said my lesson
learned was that wifi should always have its own router (assumed with some
firewall, routing control, and NAT) in its own wifi subnet. In this way,
access from the wifi subnet to the corp network starts with no access, unless
rights are granted.

You mean like a "quarentine segment"?...similar to ISA's "VPN Quarentine".

Again, different strategies for security. Segmenting to restrict access to
data is stronger security than relying upon WEP/WPA alone. Most everyone I
know feels OK about it, but I think why transmit it if it isn't needed?

I can see that. I guess it depends on what is actually on the network that
they might get into. I might be just as satisfied with a single segment and
combining it with NTFS Permissions and Access Controls built into the
"services" themselves (depending on what those services happen to be). I
just think there is more to security than just Layers 3&4,..IP's and Port
numbers. With exploding popularity of "firewalls" in the last couple years
it seems that too many people think the entire realm of "security" is
encompassed in being able to slap a Firewall between something and you have
instant security,..just add water.,...people seemed to have forgotten that
there is access control build into Applications and there is File System
Security as well. So that way being "on the wire" isn't the same thing as
"having access".

discovered the problem, consultant friends have confirmed the multiple DHCP
problem with W2K server operation. Haven't found anything on the MS website
describing this though...

I run two DHCP on the same segment and both of them server addresses to all
my segments. I never have any problem with them. But they are identical
setups with identical specs. Only the Exclusions prevent them from giving
out the same addesses (conflicting addresses) to users. You can have
problems if the Scopes base-range is "split" between the two. The proper
way would be to give them the same full base-range (not split) in the scopes
of both machines (100% overlap),...then use the Exclusions to control it
from there. The explaination I read was kind of lenghty and I don't
remember it well enought of describe it.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------