DHCP Server additional scope outside own IP range

Question

I have a question, is it possible to create and make use of a Windows DHCP Server (AD-integrated) scope having an IP segment assigned outside of the servers own range.
For example, if the server has the IP 192.168.0.3/21 can I add, additionally to the scope 192.168.2.0-192.168.7.255, an additional scope like 192.168.200.0/24?

In my tests, I can add this scope but by some reason there is no chance for a client to get an IP from this new scope, including scope-specific options for DNS, def. GW etc. Either it gets one of the "regular" scope, or, if I prohibit this by using policies on that scope I want to not make use of for this certain client(s), etc. it doesn't get any IP at all. But never from that new scope. Also DHCP filters are not per scope, but for the whole DHCP server,right?
And is it required for this to work, that the DHCP Server itself, has additionally assigned an IP from that new range,like if the range is like 192.168.200.100-192.168.200.254, the server has, beside his real IP, assigned like 192.168.200.3? If it hasn't assigned himself a scope valid IP, is it required to work with routing in order to be able to reach clients from that scope range, in case it would work?

Any suggestions are highly appreciated.

kind regards,
Dieter Tontsch

Answer 1

Hi Dieter,

This would be the ideal configuration:

This make the assumption that your firewall has multiple network ports or support vlans, so each of the network segments can be separated. The firewall would also need to support IP helper functionality to be able to forward DHCP packets to the DHCP server.

The DHCP server would have all the IP address scopes defined, each scope would provide the corresponding gateway address for each network segment.

However, I think you are talking about this type of configuration, where all the devices are connected to a single broadcast domain, and firewall is providing a logic separation rather than a physical one, as machines will be able see the network traffic from the other network segments.

Would this work from a DHCP perspective, yes, however, you will have the same problem you are having now, the DHCP server will issue an IP address from the pool that the servers IP address is in.

For the servers I would recommend using static IP addresses to prevent any accidental IP address changes if there are any issues with the DHCP server or configuration. I've defined the ranges as /24 and /23 but you can change these to meet your needs.

Gary.

Answer 2

Hi @Anonymous

Yes it is possible to configure the DHCP server to issue IP addresses to ranges that are not in the same IP address range of the server. This does require additional configuration at your network equipment level to support this functionality. The network equipment needs to be configured to support DHCP forwarding, this has a number of different names depending on the network vendor IP forwader, IP helper, or DHCP relay agent, etc.

The DHCP relay functionality is defined in the bootp RFC protocol. This is used to forward DHCP request from other network segments to the DHCP server, the network device will update the DHCP request to include the IP address of the relay agent, in the giaddr field of the DHCPDISCOVER packet. This field is then used by the DHCP server to alloacte an IP address from the corresponding IP addres range to client.

Here are some details on the configuration requirements, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn338979(v=ws.11)#relay-agents

Gary.

Answer 3

Thanks Gary, but I don't really get it. Where do I need to configure DHCP Relay or helper etc. There is no firewall or hop between the DHCP Server and my client in charge. This client also gets an IP from that server as long it is allowed to get one from the scope which is part of the IP of the DHCP server itself.
So where do I need to configure a helper ip in this case? ON the DHCP Server?

cheers,
Dieter

Answer 4

Hi @Anonymous

Just a quick bit of background:

The DHCP server will only allocate an IP address from the DHCP scope range that the client is connected to. There are two methods that the server uses to determine which pool the use to allocate an IP address.
By either,

1. The DHCP server receiving the DHCPDISOCVERY broadcast packet directly on the bound IP address, the IP address is issued from the range that covers the servers IP address
2. From scope range covering the IP address that is in the giaddr field of the DHCPDISCOVERY packet that has been forwarded by an DHCP agent.

You could try and add another IP address to the server and also bind the DHCP service to this new IP address as well, however, as the DHCPDISCOVERY packet is a broadcast packet, you won't know which IP address is going to see and process the packet first.

Question:

If you have a flat network and no layer three routing, I suppose the question is what are you trying to acheive? If you could provide a bit more information I might be able to make a recommendation.

Gary.

Answer 5

Hi,
thanks for these explanations, I know about DHCP being broadcast communication etc. Still good to get it explained more in dept.
So, what I want to achieve:

1. we have a LAN network like e.g. 192.168.0.0/21. We also have a DMZ network etc, but that's a different story.
2. In this LAN network we are running everything, client PCs, Servers, Phones, network devices like switches etc in the same Subnet. The devices are somehow separated logically like clients only have IPs 192.168.2.0-192.1683.255, servers are all in 192.168.0.1-192.168.0.255 etc. But since everything has /21 subnet, they are all together in the same network.
3. now we'd like to segment our network in terms of having clients isolated from the rest, but also having eventually printers in an extra segment, some servers, and also some others etc.
4. we want to do the above in order to be able to control traffic between them through our firewall. Because let's assume my client is in 192.168.0.0/21 (has IP 192.168.2.10/21) and my server is in 192.168.200.0/24 (has IP 192.168.200.10/24), they still would be both in the same physical LAN, but they need to go over a def. GW in order to talk to each other. And this def. GW would be my firewall which has several rules for the same Network Zone LAN (behause they still are all LAN and are bound to the same Interface from the firewall perspective), but are in different Source or destination networks, which I can control.

We could do the above by not assigning DHCP addresses but static ones to the servers, but that's not nice. also I would have to decide into which network I would place my DHCP server, since it's a Domain Controller as well, it's not ideal to assign him additional IPs, I did so and got issues from my monitoring, because it registered in DNS with the new IP too... (don't know it it doesn't harm to assign a Domain Controller additional IPs and also I do not know how to bind that IP additionally to DHCP service). And if I just place it together with the other related servers into a single network it's role a sa DHCP server as it works now will become very limited.
We will probably segment our clients also physically by using another Firewall port for all of them, including a DHCP service on the firewall, but that's not true for all my serves and other devices, they still should be served by this DHCP Server.

That's what we plan to implement, trying to control traffic between different services in the same physical LAN, without working too much with VLANs on switches etc.

thanks,
Dieter