Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Hardware
Hardware Troubleshooting
How to set up 2 DHCP servers in a single network?
Message
<blockquote data-quote="ForgottenSeer 58943" data-source="post: 706084"><p>In the modern age there is almost NO protection offered by a simple-NAT router.. Literally none.. You are way way behind the times.. Your advice was probably relevant 20 years ago, but is absolutely not relevant today. So please stop giving poor, even dangerous advice to people. </p><p></p><p>Harbor, I know a 'little' about these consumer and prosumer protection devices. I don't use them, but they utilize basic network principles to accomplish their goals. As for multiple DHCP servers, I have 8 distinct, segregated DHCP servers with physical port segregation and VDOMS on my network. For me it is possible, and in fact ideal in terms of network security because it prevents lateral movement after the network is breached by an external actor. For you having multiple DHCP servers won't work and will result in a disaster for your network and attached devices.</p><p></p><p>First, I don't like Cujo because it utilizes ARP Manipulation and Poisoning to accomplish it's goals.. It will work - obviously - but isn't ideal. Fingbox also utilizes ARP poisoning which as a network engineer we totally hate Arp poisoning devices. Second, it appears eBlocker has to function as a DHCP server to even work, is that correct?</p><p></p><p>If so your setup would be to disable the DHCP on your primary router, put the Cujo in bridge mode downstream from your primary router, run Cujo into a switch, then plug your eBlocker into the switch as a DHCP server. I am going to assume eBlocker requires itself to be a DHCP server to maintain dominion as DNS forwarder - that's a logical conclusion here.</p><p></p><p>Modem->Router(DHCP/DNS Disabled)->Cujo(Bridged)->Switch->eBlocker(DHCP Server)</p><p></p><p>That should get you working just fine. However I do not feel this situation is ideal and with less money and effort you could have a much more secure environment. What I would do if I were you would be to remove your router, put a small Untangle Box behind your modem as your primary UTM. Then go to a switch. After the switch put your router on the network in AP Mode, then put a Pi-Hole on the network and load it up with blacklists for adblocking/telemetry/malware blocking and point Untangle BACK to the Pi-Hole for DNS resolution.. This will be MUCH faster and more efficient, and also more secure. </p><p></p><p>Modem->Untangle UTM(DHCP)->Switch->Pi-Hole->OldRouter(AP Mode)</p><p></p><p>My previous structure was: Modem->FortiGate E->FortiSandbox->Untangle(Transparent)->FortiSwitch->Bulldog RogueAP/Access Points->Pi-Hole.</p><p></p><p>My new structure is; Modem->FortiGate E->FortiSanbox->Port1,Port2 in VDOM1->Port3,Port4,Port5 in VDOM2, Port6, Port7 in VDOM3->FortiSwitch->Bulldog RogueAP/Access Points-.Pi-Hole.</p><p></p><p>What this does is give me 8 distinct, PHYSICALLY separated networks with their own DHCP in their own VDOMS. Each network cannot communicate to any other network or internal device unless explicitly policy permitted. This totally eliminates lateral movement in the network which is a common occurrence in the modern age with hackers/intruders or even malware. This is complex, admittedly, and I have over 40 policies on the Fortigate to manage it all with an explicit Deny/Deny/All for anything not policy allowed.</p><p></p><p><img src="https://s13.postimg.org/m2fuz6nzr/policies.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><p><img src="https://s13.postimg.org/88ria65p3/26233054_2013598035592043_5403706671522719892_o.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p></blockquote><p></p>
[QUOTE="ForgottenSeer 58943, post: 706084"] In the modern age there is almost NO protection offered by a simple-NAT router.. Literally none.. You are way way behind the times.. Your advice was probably relevant 20 years ago, but is absolutely not relevant today. So please stop giving poor, even dangerous advice to people. Harbor, I know a 'little' about these consumer and prosumer protection devices. I don't use them, but they utilize basic network principles to accomplish their goals. As for multiple DHCP servers, I have 8 distinct, segregated DHCP servers with physical port segregation and VDOMS on my network. For me it is possible, and in fact ideal in terms of network security because it prevents lateral movement after the network is breached by an external actor. For you having multiple DHCP servers won't work and will result in a disaster for your network and attached devices. First, I don't like Cujo because it utilizes ARP Manipulation and Poisoning to accomplish it's goals.. It will work - obviously - but isn't ideal. Fingbox also utilizes ARP poisoning which as a network engineer we totally hate Arp poisoning devices. Second, it appears eBlocker has to function as a DHCP server to even work, is that correct? If so your setup would be to disable the DHCP on your primary router, put the Cujo in bridge mode downstream from your primary router, run Cujo into a switch, then plug your eBlocker into the switch as a DHCP server. I am going to assume eBlocker requires itself to be a DHCP server to maintain dominion as DNS forwarder - that's a logical conclusion here. Modem->Router(DHCP/DNS Disabled)->Cujo(Bridged)->Switch->eBlocker(DHCP Server) That should get you working just fine. However I do not feel this situation is ideal and with less money and effort you could have a much more secure environment. What I would do if I were you would be to remove your router, put a small Untangle Box behind your modem as your primary UTM. Then go to a switch. After the switch put your router on the network in AP Mode, then put a Pi-Hole on the network and load it up with blacklists for adblocking/telemetry/malware blocking and point Untangle BACK to the Pi-Hole for DNS resolution.. This will be MUCH faster and more efficient, and also more secure. Modem->Untangle UTM(DHCP)->Switch->Pi-Hole->OldRouter(AP Mode) My previous structure was: Modem->FortiGate E->FortiSandbox->Untangle(Transparent)->FortiSwitch->Bulldog RogueAP/Access Points->Pi-Hole. My new structure is; Modem->FortiGate E->FortiSanbox->Port1,Port2 in VDOM1->Port3,Port4,Port5 in VDOM2, Port6, Port7 in VDOM3->FortiSwitch->Bulldog RogueAP/Access Points-.Pi-Hole. What this does is give me 8 distinct, PHYSICALLY separated networks with their own DHCP in their own VDOMS. Each network cannot communicate to any other network or internal device unless explicitly policy permitted. This totally eliminates lateral movement in the network which is a common occurrence in the modern age with hackers/intruders or even malware. This is complex, admittedly, and I have over 40 policies on the Fortigate to manage it all with an explicit Deny/Deny/All for anything not policy allowed. [IMG]https://s13.postimg.org/m2fuz6nzr/policies.png[/IMG] [IMG]https://s13.postimg.org/88ria65p3/26233054_2013598035592043_5403706671522719892_o.jpg[/IMG] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
