newbie to home network dhcp worries

[Moon]

Hi, i have just connected 3 pc's to a Linksys BEFSR41 router, the router is
etherneted to a Linksys ADSL2MUE modem. I have changed the routers IP to
192.168.2.1 as the modems address is 192.168.1.1
Both these boxes have a dhcp server - and NAT firewalls. My concern is
should both boxes be acting as dhcp servers? if not which one is
prefferable? Should both have the NAT firewall running?
Any advice suggestions appreciated! I have asked on a couple of home
networking forums only to come up with different opinions! some say its fine
to have both as dhcp servers, others say you should not have both doing
this!
Thanks

 

[Richard G. Harper]

No, you definitely should NOT let both devices serve up DHCP addresses, as
this can result in your network becoming segmented into two groups that
cannot talk to each other. Pick one or the other to be the DHCP server,
turn off the DHCP server on the other device.

You should probably turn on the firewall on the modem and turn off the
firewall on the router, or if all the computers in your network are
connected only to the BEFSR41 then you should check the firewalls in both
units and leave the best firewall enabled and disable the other.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Herb Martin]

Hi, i have just connected 3 pc's to a Linksys BEFSR41 router, the router is
etherneted to a Linksys ADSL2MUE modem. I have changed the routers IP to
192.168.2.1 as the modems address is 192.168.1.1

If the subnet mask is 255.255.255.0 then
these machine will NOT communicate.

Unless of course the router (likely) has two
NICs and you gave us only the address of
the router on the "inside", e.g., YourNetwork
subnet.

Where is the modem relative to the router?

?? ISP--modem---router---YourNetwork ??

If this is the case you probably don't need the
router, or you may want to put the modem in
"bridgeing mode" IF it supports that -- then
the External router connection will get the
addressed assigned by the ISP (either DHCP
or manually.)

You really CANNOT use the above scheme
(if that is what you have) unless that modem
supports MANUAL routing so that you can
teach it about YourNetwork (addresses) which
is routed through that intermediate router.

Both these boxes have a dhcp server - and NAT firewalls. My concern is
should both boxes be acting as dhcp servers? if not which one is
prefferable? Should both have the NAT firewall running?

Notice that in my (assumed) scheme above, the
modem would ONLY be giving an address to the
External NIC of the router and the Router would
ONLY be giving addresses to YourNetwork --if
thing are going to work at all.

Any advice suggestions appreciated! I have asked on a couple of home
networking forums only to come up with different opinions! some say its fine
to have both as dhcp servers, others say you should not have both doing
this!

Does it work?

 

[Moon]

ISP - Modem - Router - pc's

modem ethernet lead out to internet ethernet in on router, then pc's from 3
of routers ethernet ports.

modem getting dhcp from isp, modem set to 192.168.1.1 (internal?) sub net
255.255.255.0, router set to 192.168.2.1 sub net 255.255.255.0, pc's getting
dhcp and on checking status ip: 192.168.2.100, 192.168.2.101, 192.168.2.102
all with sub net 255.255.255.0

Thats how it is now with both boxes serving dhcp, it does seem to work all
pc's can talk/ping and access net, but is it the correct way? I assume the
nat firewall is the same in both boxes, i run NIS05 as well and think i have
it set up correctly.

 

[Leythos]

Hi, i have just connected 3 pc's to a Linksys BEFSR41 router, the router is
etherneted to a Linksys ADSL2MUE modem. I have changed the routers IP to
192.168.2.1 as the modems address is 192.168.1.1
Both these boxes have a dhcp server - and NAT firewalls. My concern is
should both boxes be acting as dhcp servers? if not which one is
prefferable? Should both have the NAT firewall running?
Any advice suggestions appreciated! I have asked on a couple of home
networking forums only to come up with different opinions! some say its fine
to have both as dhcp servers, others say you should not have both doing
this!
Thanks

If I understand you correctly you have this setup:

INTERNET <> ADSL2MUE <> BEFSR41 <> Computers

With this setup your ADSL get's an IP from the ISP, the BEFSR41 get's
and IP from the ADSL unit, and the computers get an IP from the BEFSR.

As long as the private side of both ADSL and BEFSR are different
networks you are fine.

You could setup the BEFSR41 to have a Fixed WAN address, but, you would
need to specify the DNS settings. In reality, your setup is not much
different than others, both systems get a leased IP from their parent
and your traffic is working.

Where you may run into trouble is getting inbound traffic from the
internet (for games, VOIP, etc...) to work properly through a double
NAT. You also need to understand that NAT does not make either of these
devices a Firewall, not even close. NAT only blocks unsolicited inbound
traffic to your network.

In your setup, since the ADSL is using NAT, there should be no
unsolicited traffic reaching the BEFSR unit.

I would setup the ADSL unit to pass the public IP through to the BEFSR
unit, meaning that I would not NAT the public IP at the ADSL unit. I
would let the BEFSR unit do the NAT - this way you could install
WallWatcher on a PC and enable logs in the router and watch all in/out
bound traffic for problems.

In summary, as long as both NAT networks are on different subnets
(192.168.1.X and 192.168.2.X with a 255.255.255.0 mask) you will have no
problems, even with DHCP enabled. Both devices are completely capable of
working in a Dynamic mode and will update just fine.

 

[Moon]

Thanks, i now see why its working, but i will try some of the suggestions
like running nat just on the router.

 

[Herb Martin]

ISP - Modem - Router - pc's

Your most likely (REAL) problem is that the
modem has NO IDEA about the 192.168.2.x
network. See below for the solution to that***

modem ethernet lead out to internet ethernet in on router, then pc's from 3
of routers ethernet ports.

modem getting dhcp from isp, modem set to 192.168.1.1 (internal?) sub net
255.255.255.0,

That much makes sense.

And the ROUTER needs to get an address like
192.168.1.2 (or anything 192.168.1.x) manually
or by DHCP from the Modem.

But note, if you aren't giving out the address to
the external side of the router automatically,
then DHCP on the modem is IRRELEVANT;
it will neither hurt nor help but it is irrelevant.

router set to 192.168.2.1 sub net 255.255.255.0, pc's getting
dhcp and on checking status ip: 192.168.2.100, 192.168.2.101, 192.168.2.102
all with sub net 255.255.255.0

That's fine and this makes the Modem DHCP
irrelevant to all but possibly the Router (external
side.)

Thats how it is now with both boxes serving dhcp, it does seem to work all
pc's can talk/ping and access net, but is it the correct way?

It's not really a DHCP question and those that told you
they could not both server DHCP were wrong, while
those that told you it would work were either wrong or
misunderstanding your real problems since the Router
is going to need a static address and only the router
will see the Modem DHCP.

Why can DHCP work from both? Because they are
servicing DIFFERENT subnets. But let's fix the real
problems.

I assume the
nat firewall is the same in both boxes, i run NIS05 as well and think i have
it set up correctly.

It better not be -- it needs to be a DHCP client on the
external side OR you need to manually give it an
address compatible with the modem device address,
e.g., modem-192.168.

***Your most likely (REAL) problem is that the
modem has NO IDEA about the 192.168.2.x
network. See below for the solution to that...

You need to add the equivalent of this static route
command to the Modem:

route add 192.168.2.0 mask 255.255.255.0 192.168.1.2
(but this will require a MANUAL address on the
router external, NOT DHCP, and not all little modems
can do this.)

Why do you have both of these?

 

[Herb Martin]

No, this is not fine unless the routing has been arranged.
(on the Modem), see below...

Thanks, i now see why its working, but i will try some of the suggestions
like running nat just on the router.

NO, you MUST run NAT on at least the Modem(the
most external device) and do not need it on the internal
router.

Possibly you will have trouble with the translation,
but not necessarily and you definitely will have an
issue with the ROUTING from the modem to the
internal network behind the Router box.

--
Herb Martin

 

[Moon]

'Why do you have both of these?'
free adsl modems from isp's usually have usb, i allready had the router that
needs an ethernet modem, so i bought the linksys modem thinking this would
solve the problem. My understanding is configuring the internet connection
this way will allow the other pc's to receive the net even if my pc is off,
as they are going to the router then modem.

 

[Leythos]

No, this is not fine unless the routing has been arranged.
(on the Modem), see below...

Yes, it is, and it works fine. I can daisy change 100 linksys routers
using DHCP on the WAN for IP and providing DHCP on the LAN side, and as
long as each LAN side is a different subnet, the computers on the 100'th
router will be fully able to reach the internet.

NO, you MUST run NAT on at least the Modem(the
most external device) and do not need it on the internal
router.

NO, you don't have to run NAT on the modem, and you probably don't want
to run NAT on it since there are two NAT devices in the network. The
modem acts as the primary connection to the internet - if it provides NO
NAT, it will give the connection (LAN side) the PUBLIC IP assigned to
it. Once you give the public IP to the internal router, fixed WAN IP,
you can run NAT on the linksys router and all your machines can easily
share the connection:

ISP <> MODEM - PUBLIC IP - LINKSYS ROUTER/NAT Private IP's (works good)

Possibly you will have trouble with the translation,
but not necessarily and you definitely will have an
issue with the ROUTING from the modem to the
internal network behind the Router box.

The only problem will be services that don't support NAT or when you
want one of the computers to host services on the net with public
access. This would mean you would have to have a 1:1 NAT, with ports
forwarded from the ADSL modem to the IP of the Router and from the
router to the LAN IP of the host provider:


Daisy changing routers with nat works fine as long as everyone has a
different subnet.

 

[Herb Martin]

'Why do you have both of these?'
free adsl modems from isp's usually have usb,

Today, most of them give you a choice unless the
tech looks at your stuff and decides the USB is
the only choice or he is too lazy to help you make
the Ethernet work.

i allready had the router that
needs an ethernet modem, so i bought the linksys modem thinking this would
solve the problem.

What problem? (The USB?)

My understanding is configuring the internet connection
this way will allow the other pc's to receive the net even if my pc is off,
as they are going to the router then modem.

You now have two points of failure for all the
PCs: the router AND the modem/ISP/ADSL.

Did you understand the rest of my last post?

It diagnosed and offerred the solution to your
problems along with the DHCP explanation....

 

[Herb Martin]

Yes, it is, and it works fine. I can daisy change 100 linksys routers
using DHCP on the WAN for IP and providing DHCP on the LAN side, and as
long as each LAN side is a different subnet, the computers on the 100'th
router will be fully able to reach the internet.

It will not work for the extra net -- it has nothing
to do with the daisy chain-- it has nothing directly
to do with the DHCP.

The problem is that the FIRST Modem/router cannot
find the interior subnet(s) UNLESS it has the IP of
the next most interior router.

IF it assigns that address dynamically it is not going
to know the address for you to give it a static route.

So, you must either give it a reservation -- which is
functionally equivalent to a manual address (note,
I said DHCP is NOT the real problem but rather the
dynamic address) OR you run a dynamic routing
protocol on BOTH(All) routers which is overkill
for such networks even if they all support such.

NO, you don't have to run NAT on the modem, and you probably don't want

Look you need to think it through: THe EXTERNAL
router is going to get the ONLY public address, so
NAT there is ESSENTIAL and unavoidable.

ISP (public addresses) Mobem (privateAddresses) Router (private...)

NAT on any interior router is irrelevant and at best
unnecessary trouble.

ISP <> MODEM - PUBLIC IP - LINKSYS ROUTER/NAT Private IP's (works good)

Exactly and that is why the MOST EXTERNAL router
must be the NAT -- that is LEFT MOST in your
configuration here.

ISP <> MODEM - NAT IP's - LINKSYS ROUTER/NAT Private IP's (works good)

But mostly the right hand side is just stupid (but yes it will
work, as I said above, but that MODEM better be a NAT.

 

[Leythos]

It will not work for the extra net -- it has nothing
to do with the daisy chain-- it has nothing directly
to do with the DHCP.

The problem is that the FIRST Modem/router cannot
find the interior subnet(s) UNLESS it has the IP of
the next most interior router.

IF it assigns that address dynamically it is not going
to know the address for you to give it a static route.

So, you must either give it a reservation -- which is
functionally equivalent to a manual address (note,
I said DHCP is NOT the real problem but rather the
dynamic address) OR you run a dynamic routing
protocol on BOTH(All) routers which is overkill
for such networks even if they all support such.


Look you need to think it through: THe EXTERNAL
router is going to get the ONLY public address, so
NAT there is ESSENTIAL and unavoidable.

ISP (public addresses) Mobem (privateAddresses) Router (private...)

NAT on any interior router is irrelevant and at best
unnecessary trouble.



Exactly and that is why the MOST EXTERNAL router
must be the NAT -- that is LEFT MOST in your
configuration here.


But mostly the right hand side is just stupid (but yes it will
work, as I said above, but that MODEM better be a NAT.

I think we're not talking the same thing here, or I'm missing your
point, here is what I'm saying:


All COMPUTERS can access the internet without any problem - since the
routers keep track of their leases and renew their leases they all have
a path outbound for the computers to access.

If you want inbound from internet to a computer acting as a web server,
then you should configure each router with a fixed WAN side IP in the
prior routers subnet (make it 192.168.x.2). Next forward port 80 to your
LAN side IP 2 (as long as you used X.2), and then on the last one,
forward 80 to the fixed IP of the computer running the web server.

Now, if you were to leave EVERYTHING as DHCP, you could forward port 80
to the first DHCP IP in the stack of every router, since the routers
would have each other as the first dynamic address and nothing else is
there to take a lease - most would be X.100 if using a linksys. The only
catch is the web hosting computer, it would need to be assigned a fixed
IP unless it also was the only device on the LAN side of 192.168.5.x -
since as the only device it would always re-lease 5.100 (if using a
linksys).

If you are saying that this won't work, well, I've actually done this 8
deep all using DCHP on the WAN and LAN side, and outbound has worked
perfectly. Inbound only works if you forward and only have one device
per lease

 

[Herb Martin]

But mostly the right hand side is just stupid (but yes it will

I think we're not talking the same thing here, or I'm missing your
point, here is what I'm saying:

You are missing the fact that the device he is calling
"the Modem" has been described by him as a ROUTER,
NAT, DHCP server.

It "the Modem" is the only device with an EXTERNAL
address.

It is the device that must be a NAT -- now some of these
devices have the ability to be turned into Bridges which
I suggested in the early responses might help him but
you have been arguing for the need to NAT back within
the INTERNAL address subnets where it is at best
unnecessary.

Internet <> WAN=DHCP > ROUTER (netopia - NAT) 192.168.1.1/24 >

"The Modem" is actually being used as a ROUTER
according to his description.

 

[Leythos]

You are missing the fact that the device he is calling
"the Modem" has been described by him as a ROUTER,
NAT, DHCP server.

No I didn't miss it. He's said it was doing NAT, and I suggest that he
have them set it up to provide a Public IP on the LAN side of it. But,
even with a NAT'd IP on the LAN side, it would still allow full outbound
access without any problem.

It "the Modem" is the only device with an EXTERNAL
address.

And that is not a problem - the Modem (or router or NAT or anything)
gets a public IP through a DHCP assignment from the ISP, it can also
provide a 192.168.x.y to the LAN side for use by anything there,
including another router/nat.

If his "modem" gets a NAT'd address, it still works.

It is the device that must be a NAT -- now some of these
devices have the ability to be turned into Bridges which
I suggested in the early responses might help him but
you have been arguing for the need to NAT back within
the INTERNAL address subnets where it is at best
unnecessary.

He didn't ask for forwarding ability to the internal network, at least
not that I've seen. He asked if the dual NAT's where needed and if he
could disable one of them.

He also said that the dual NAT setup with DHCP enabled, was also working
fine.

"The Modem" is actually being used as a ROUTER
according to his description.

That was my description and the NAT system is a router.

So, he wanted to know the following:

Hi, i have just connected 3 pc's to a Linksys BEFSR41 router, the router is
etherneted to a Linksys ADSL2MUE modem. I have changed the routers IP to
192.168.2.1 as the modems address is 192.168.1.1
Both these boxes have a dhcp server - and NAT firewalls. My concern is
should both boxes be acting as dhcp servers? if not which one is
prefferable? Should both have the NAT firewall running?
Any advice suggestions appreciated! I have asked on a couple of home
networking forums only to come up with different opinions! some say its fine
to have both as dhcp servers, others say you should not have both doing
this!

Question 1: should both act as DHCP servers?
Answer 1: In his setup it makes little difference.

Question 2: if not which one is preferable?
Answer 2: The inner router connected to the PC's should be doing NAT,
the outer router/modem should have a public IP on it's LAN side.

Question 3: Should both have the NAT firewall running?
Answer 3: NAT is not a firewall. If you use NAT there will not be any
problems accessing the internet, only if you want to host a web server
or other services on your computers and provide access to them from the
internet. If you are not providing any internet services to the public
then it makes no difference.

Question 4: some say its fine to have both as dhcp servers, others say
you should not.
Answer 4: If you run DHCP on any segment it means that devices can
change IP's - if only a single device on any segment, then that device
SHOULD be assigned the same IP every time the lease is renewed. So, in a
dual NAT/DHCP setup, the linksys (being the only device on the ADSL
network LAN side) should always have the first IP in the ADSL's scope.
The computers (3) on the Linksys side may change IP's as they renew
their leases based on normal DHCP renewals.

NOTE: If it were my network I would have a Public IP on the ADSL side
and NAT only the Linksys side, but, in reality, unless running a server
inside the network, it would make little difference to any computer
asking for http/smtp/pop/etc.. connections to the outside world.

 

[Herb Martin]

No I didn't miss it. He's said it was doing NAT, and I suggest that he

have them set it up to provide a Public IP on the LAN side of it.

You cannot in general do that. If you think this
is the way to solve such a simple problem you
might want to think it through.

But unless and until you arrange that (which he
hasn't and which isn't realistic for 99.99%) he
must run NAT on the MOST EXTERNAL router.

There is no other choice -- as even if you were
to move the public addresses "inside" you would
really be moving the point where Internal is
separated from externa.

And that is not a problem - the Modem (or router or NAT or anything)
gets a public IP through a DHCP assignment from the ISP, it can also
provide a 192.168.x.y to the LAN side for use by anything there,
including another router/nat.

No, it is NOT a problem unless he fails to run
NAT on the most external router (the Modem)
as you tried to suggest.

You were wrong, just have the grace to admit
it and move on or just don't both to respond with
more confusion on your part unless you really wish
to learn how it should can can work.

[snipped a bunch of irrelevant prattling.]

 

[Leythos]

No, it is NOT a problem unless he fails to run
NAT on the most external router (the Modem)
as you tried to suggest.

You were wrong, just have the grace to admit
it and move on or just don't both to respond with
more confusion on your part unless you really wish
to learn how it should can can work.

I think you're not looking at anything I've posted, and it's clear
you've never tried it.

We have two options for the external device:

If his external device has a Public IP on the LAN side, or if it has a
NAT'd IP on the LAN side, it makes no difference to ANY of the devices
on the LAN side. Public or Private, the LAN devices can reach the
internet. If the external LAN side has another NAT device connected to
it, and the WAN side of the internal device uses DHCP to get it's IP,
then the external device will provide an IP to the WAN side of the
internal device. The internal device, having a private (nat'd) LAN
range, can also provide service to it's lan side devices - fixed IP or
DHCP assigned.

What part of that don't you understand - it doesn't make any difference
if the external device has a public or private LAN side addresses!

If he runs the external device such that the LAN side of it has the
ability to provide the public IP to the LAN side device, it works also -
no NAT needed on the external device.

 

[Herb Martin]

If his external device has a Public IP on the LAN side, or if it has a

It doesn't and very few ISPs would allow that
in any case.

 

[Leythos]

It doesn't and very few ISPs would allow that
in any case.

Every ISP (except 2) from the east coast to the west coast that I worked
with that provides DSL or Cable connections (about 40 last year) used a
LAN side public IP for residential and business class accounts by
default. I've only seen two that provided NAT'd addresses by default.
There are also several that provide a modem capable of issuing a NAT'd
range while also being able to issue a public IP on the LAN side, but
not both at the same time.

My CISCO Ubr900 can provide both (since I have more than 1 IP) NAT'd and
Public IP's to any of the 4 ports on it. If I connect a computer, DHCP
enabled, to it, it will give me a 192.168.x.y address, if I set it for
24.X.Y.Z, it will also work, as long as I don't use the first IP
assigned to the Ubr. I only use it with public LAN side addresses as I
have a WatchGuard Firebox hooked to it.

As another example, MegaPath is one of the DSL providers that we found
issuing a Private address by default from the Netopia router, a call to
them and it was switched to a fixed public IP, but it will still issue a
dynamic IP on the lan side if the single public IP is not being used.

Most ISP's in my experience in the US, provide a public IP and expect
the users to know how to secure their machines. I guess they figure that
public has less support issues than a NAT'd address.

 

[Herb Martin]

Every ISP (except 2) from the east coast to the west coast that I worked
with that provides DSL or Cable connections (about 40 last year) used a
LAN side public IP for residential and business class accounts by

That is just silly or a lack of experience as almost
none of the ISP will give you public addresses for
your internal LAN, Roadrunner, SBC, etc., without
you paying extra.

Even then you are likely better off using a NAT
which provides services on all supplied IPs
(usually 5, 13, etc) and then does address mapping
(not just port mapping) if you wish to expose
particular internal machines.

No matter -- he did NOT have this situation and you
didn't tell him to ask for that -- and you don't know
that HIS ISP supports it.

And again, if you move the EXTERNAL-INTERNAL
boundary further into the LAN you just confirm the
design I offered you.

You made technical mistakes and won't accept the
obvous corrections with grace, which is no longer
interesting to me.

OUT.