Jump to content

Run Windows DHCP server or Router DHCP?

Recommended Posts


Have been running a Windows DHCP server on home WSE12R2 box for quite some time behind my Sophos UTM firewall. Also allowed me to seamlessly run Windows Deployment Services at home. WDS just worked.


But if I needed to make a particular LAN IP address exception on the firewall, I had to 1.) create a Windows DHCP server reservations AND 2.) create a network definition for that IP on the Sophos UTM box. 2 steps. Not very efficient; was sure I was doing something incorrectly...


Tried to migrate to Sophos UTM running the DHCP Server, but now WDS doesn't work. LAN devices can no longer PXE boot. Seems possible. Many guides. None have proven especially successful.


Is it possible to run a Windows DHCP server and have Sophos UTM import DHCP reservations instead of maintaining 2 unique entries for each IP reservation (one in Windows DHCP, another on Sophos UTM box)?


What is best practice?



Sent from my iPhone using Tapatalk

Share this post

Link to post
Share on other sites
Drashna Jaelre


This is precisely what I do, actually. 


No settings need to be set on the Sophos UTM DHCP server. 

Basically, do not enable any of the TFTP options for it. Or any custom options. 


On the WDS server console, right click on the server name and select "Properties"

Go to the "DHCP" tab, and make sure both options are unchecked. 


Restart the WDS service, and then you should start getting responses



Specifically, the "do not listing on DHCP ports" is probably the issue here. 

disabling this means it listens for and may respond to "DHCP" requests. But it's not a "real" DHCP server. It's just a partial one. It still relies on an actual DHCP server to be on the network.  

  • Like 1

Share this post

Link to post
Share on other sites

Thanks. This helps. I wouldn't have found these options on me own.


Prior to making that change, I did learn how to configure the DHCP > Options on Sophos UTM to work with WDS. It wasn't exactly straight forward. Code 66 and 67.



Sent from my iPhone using Tapatalk

  • Like 1

Share this post

Link to post
Share on other sites
Drashna Jaelre

Yeah, that's the "official" way to do so, but I've found that it really, really doesn't work.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • donschmidt
      By donschmidt
      Good morning.  I've just  purchased a home still under construction and plan to have CAT6 installed throughout the living areas. I'm hoping that someone can advise me as to the specific quality/specs of cable that I should use.
      Thanks and Happy New Year.
    • Joe_Miner
      By Joe_Miner
      I've been looking at the Intel Compute Stick BOXSTK1AW32SC and was wondering if anyone here has experience with that and if the Intel AC 7265 built into it is backwardly compatible with older N and A,B wifi?
    • heavy21
      By heavy21
      I want to optimize the performance and security of my home network of servers, PCs, laptops printers, smartphones, TVs, etc.  Current network appliances include layer 2 and 3 switches (Cisco small business) and Linksys router.  I’m looking to replace the Linksys with a security (pfSense) router appliance (w/OpenVPN).  I will also be adding security cameras and a NVR to the network.
      The gigabit network is straightforward in structure with all Ethernet connections hanging off the24 port switch connected to the cable modem and router except a cascaded 8 port switch in a room to provide 4 Ethernet connections in a room with only one data port.  Wireless connections presently come off the Linksys but will eventually come off the to-be-purchased security/router appliance with a wireless card.  I don’t see more than 100 devices in total for the whole network.  No VLANS and no sub-netting.  All hardware supports IPv6.
      Hardware line up is:
      Dual Zeon server w/RAID 10 of 24 TB of storage, 64GB memory
      Cisco managed switches layer 2 and 3
      HPEX495 server
      Workstations, Desktops, Laptops, Tablets, iPads
      Software line up is:
      Windows Server Essentials 2012 R2, single domain controller, storage and file server duties
      Windows 10 Pro all non-server Intel computing devices
      PLEX server for streaming audio and video to display units
      Office 365
      From what I’ve read so far, it appears that I need to incorporate an IP addressing scheme for clients and servers on the network.  It would also appear that I need to implement VLANS and/or sub-netting to protect access to certain files and security footage, provide guest networking with future consideration for electronic door locks and some sort of server based media distribution to various display devices,
      What are best practices on assigning client and server devices to IP ranges, fixed or dynamic IP addresses?  Do I need to assign clients or servers to IP ranges?  What are the considerations in establishing sub-nets over VLANS or vice versa?  I’m pretty sure I want to restrict access to cameras and their security footage and personal files on my workstation.
      Thanks for any resources and advice provided.
    • taylorwmj
      By taylorwmj
      Just registered today, but have been looking over the forums (especially networking) for easily the past 3-4 months. My wife and I just bought our first home about 6 weeks ago and I'm getting around to determining a bit more of how to proceed with wireless networking in the house. 
      Like many before me on here, I'm debating between Unifi and Open-Mesh. I have read and heard pros and cons to both (which I'll list below, and hopefully will set off some good healthy debates for me to ultimately become more informed), but am still undecided. Would all of you be willing to help out!?
      The house is roughly 2100 sq ft, split fairly evenly across 2 floors. I have attached rough floor plans from the appraisal. The house was built in 2009 and is all standard drywall, with an unfinished basement (which would take it to 3 total floors and roughly 3200 sq ft when finished). If needed, I could run some more ethernet under the first floor to a panel on the first floor, but I'd rather not. On the floor plans, I have marked with red diamonds where cat5e is already in place. I currently have 300/100 for speed, but most likely will be upgrading to 1000/400.
      I am already using a Ubiquiti ERLite-3 as my router. I wanted to get away from a standard router, but was somewhat limited as I had to know for a fact that TDS fiber TV and internet would work (especially the TV). I found a great walkthru of how to configure the ERLite-3 to work with TDS TV (it's a bit wonky) and I have a sysadmin coworker who uses a great deal of Ubiquiti products at a private school he volunteers at as the IT professional/network administrator. He highly recommended Ubiquiti, especially the current round of AP's as well as routers.
      Now I know many on here have had issues with the Unifi APs but, I have also begun to read that the new Unifi AP-AC-Pro is a great AP and very few have had any issues at all with it. This is especially true when compared to the prior generation of APs that I have deciphered many on here have had issues with. My coworker has about 15 of them deployed at the school and has had no issues with them at all since launch.
      I'm hesitant about the Unifi because install will be bit more work and I'd like as easy and clean as an install as possible, that's why I've also been considering Open-mesh. Here's my breakdown--I'm open to other hardware as well from the 2. Would OM5P-AC struggle with the proposed locations?
      Open Mesh (OM5P-AC with ethenet jack enclosure)
      -Easy Install
      -Enclosure allows ethernet passthru
      -Easy to scale
      -Easier UI
      -Smaller APs
      -Mesh w/o backhaul
      -Can manage anywhere in world
      -Don't need another device to run controller
      -802.af powered
      -Great customer service reputation
      -Cloudtrax isn't hosted locally
      -potential of brick if cloudtrax goes under
      -more expensive w/multiple APs
      -more limited OS
      -can't use 802.af with enclosure if also want to use passthru (which I do)
      -not the strongest signal
      -not the fastest speed
      -potentially not able to have gigabit passthru (true or no?)
      Unifi (UAP-AC-PRO)
      -Stronger Signal
      -Faster speed
      -Cheaper (would most likley only need one AP, same cost as on O-M AP)
      -More highly configurable
      -Locally hosted controller. Can still fully configure if Unifi goes under or WAN is down.
      -Ability to access anywhere (with cloud controller, not required tho)
      -802.af powered
      -great user forums 
      -more extensive support pages
      -Physically larger unit
      -More difficult to install (will have to run additional cabling)
      -Not meshable
      -No passthru ability (not really an issue if having to run additional cabling tho)
      -can't use 802.af with enclosure if also want to use passthru (which I do)
      -reputation issue in older models. 
      -reputation issue w/customer service
      Any help, guidance, or opinion is greatly appreciate as many of you have used one of these extensively, if not both. Thanks in advance!

    • jsox
      By jsox
      I did some reading about Plume after hearing it mentioned in the recent podcast. Intriguing concept.
      I submitted some questions to their support email. If I get answers, I'll share them here.
      Question #1
      Looked for something describing how the things I configure today on my router (e.g. assigned addresses in DHCP, DMZ setup, port forwarding) would be handled in a Plume system and could not find anything. To offer NAT protection there must be a router somewhere. Is that addressed in a whitepaper or someplace that I did not see?
      Question #2
      If I think I need less than 6 devices can I use the "surplus" in a different location as a totally separate system? For example, split a box of 6 as 3 in my apartment and 3 in my girlfriend's apartment? Or 4 in my house and 2 in my parents apartment. As an general extension of this question, are all Plume plug-ins capable of operating with any other Plume plug-in or independently? If I buy more than one 6-pack am I free to break up the total any way I want? 10 in one location, 2 in another? 4 each in three locations? One each in 12 locations?
      Question #3
      Is there a practical maximum to the number of plug-ins that can be used productively? At my church, which also has a school, I might need 20 or more to cover all the offices and classrooms. Is that something that you would expect to work?
      Question #4
      I think I read that any plug-in has one Ethernet port. That Ethernet port can either be used as a LAN port to hardware a device into the Plume network. Or it can be used as a hardwired backhaul for that plug-in. Is that correct? In the church / school scenario in #3 we have Ethernet in some locations already. Would each of those plug-ins provide a boosted backhaul capability, increasing the overall wi-fi performance? Would they all work together to form one seamless wi-fi system across the entire campus?
      Question #5
      I read it will have one primary SSID and one Guest SSID. Is there any chance of more than two SSIDs? Is the interaction of the Guest with the primary network configurable (e.g. expose specific network printers at specific IP addresses but not servers or storage)? Or is the Guest always and only Internet access? Can the Guest network be throttled? Can the throttling be time-based or location (plug-in) based?
      Question #6
      You talk about the cloud based brains of the system. What happens when your servers are down? Or the Internet is down?
      Question #7
      Is it possible to configure two (or more) overlapping Plume wi-fi systems? Lets say I want one for CHURCH and one SCHOOL with separate primary passwords, but coverage for both needs to be present in a number of common areas, the cafeteria, whatever. Will two Plume networks play nice with each other?