Specifying a DHCP Range for Wireless Clients?

Is it possible, within Windows DHCP (Windows Server 2003 R2 SP2), to
specify a range for wired clients and a separate range for wireless
clients?

Background: a small organization, two servers (both domain
controllers), one running DHCP. Client systems connected to this
network fall in three categories:

1. Permanently wired desktop systems for office workers, members of
the domain.
2. Wireless notebook systems for office workers, members of the
domain.
3. Guest laptops needing Internet connectivity only, not members of
the domain, wirelessly connected.

All three client types will be getting their addresses from DHCP. I
was thinking of disabling DHCP services on the wireless router
(Linksys) altogether. I wanted to specify a range of IP's, perhaps
even on a different subnet for the wireless clients to keep them as
separated as possible from the domain. Then create reservations for
the couple of laptops that are domain members, assuming that would
supercede whatever rules could be established to force wireless guests
to a different range/subnet.

Ideas? Suggestions? I'm open to anything at this point. I'm just
beginning the design phase.

Thanks!

1. You have a flawed plan if you create a situation where it actually
matters what IP# a Client gets. If you do that then you better just
statically assign everything and forget DHCP.

2. The Linksys box should never be allowed to run DHCP on the LAN. You
should be running DHCP on the DC or another member server so that DNS and
WINS get properly updated with the IP Specs of the Clients when the IP specs
periodically change.

3. The Guests need to be connected via a NAT box on the Public side of the
LAN so they are isolated from the LAN. Whether of not the NAT box is
wireless capable is up to you. since this box would not be on the LAN it
would be all right for it to run DHCP for the sake of the Guests that
connect to it. If your WAN design does not lend itself to puting the NAT
box on the Public side,...then you should get a second Internet connection
just for it and go with the cheapest low-cost one you can find. A lower
speed CableTV or DSL would serve that purpose, and it could also serve as an
emergency backup of your main internet connection if it goes down by moving
your "main" nat box over to the line temporarily.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Bazooka-Joe" <bazooka-(E-Mail Removed)> wrote in message
news:0afc3b7b-e919-4016-96cb-(E-Mail Removed)...
> Is it possible, within Windows DHCP (Windows Server 2003 R2 SP2), to
> specify a range for wired clients and a separate range for wireless
> clients?
>
> Background: a small organization, two servers (both domain
> controllers), one running DHCP. Client systems connected to this
> network fall in three categories:
>
> 1. Permanently wired desktop systems for office workers, members of
> the domain.
> 2. Wireless notebook systems for office workers, members of the
> domain.
> 3. Guest laptops needing Internet connectivity only, not members of
> the domain, wirelessly connected.
>
> All three client types will be getting their addresses from DHCP. I
> was thinking of disabling DHCP services on the wireless router
> (Linksys) altogether. I wanted to specify a range of IP's, perhaps
> even on a different subnet for the wireless clients to keep them as
> separated as possible from the domain. Then create reservations for
> the couple of laptops that are domain members, assuming that would
> supercede whatever rules could be established to force wireless guests
> to a different range/subnet.
>
> Ideas? Suggestions? I'm open to anything at this point. I'm just
> beginning the design phase.
>
> Thanks!

You may have many options. 1. If it is possible, setup a VLAN. For example,
in our company, we have 3 VLAN, one for intranet/domain network, student and
public. The student and public can't access domain network and they are in
the different subnets.

2. You may setup the wireless router in the DMZ as a DHCP server.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"Bazooka-Joe" <bazooka-(E-Mail Removed)> wrote in message
news:0afc3b7b-e919-4016-96cb-(E-Mail Removed)...
> Is it possible, within Windows DHCP (Windows Server 2003 R2 SP2), to
> specify a range for wired clients and a separate range for wireless
> clients?
>
> Background: a small organization, two servers (both domain
> controllers), one running DHCP. Client systems connected to this
> network fall in three categories:
>
> 1. Permanently wired desktop systems for office workers, members of
> the domain.
> 2. Wireless notebook systems for office workers, members of the
> domain.
> 3. Guest laptops needing Internet connectivity only, not members of
> the domain, wirelessly connected.
>
> All three client types will be getting their addresses from DHCP. I
> was thinking of disabling DHCP services on the wireless router
> (Linksys) altogether. I wanted to specify a range of IP's, perhaps
> even on a different subnet for the wireless clients to keep them as
> separated as possible from the domain. Then create reservations for
> the couple of laptops that are domain members, assuming that would
> supercede whatever rules could be established to force wireless guests
> to a different range/subnet.
>
> Ideas? Suggestions? I'm open to anything at this point. I'm just
> beginning the design phase.
>
> Thanks!

On Mar 25, 10:20*am, "Robert L. \(MS-MVP\)"
<blinNoEmailPle...@mvps.org> wrote:
> You may have many options. 1. If it is possible, setup a VLAN. For example,
> in our company, we have 3 VLAN, one for intranet/domain network, student and
> public. The student and public can't access domain network and they are in
> the different subnets.
>
> 2. You may setup the wireless router in the DMZ as a DHCP server.
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting onhttp://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access onhttp://www.HowToNetworking.com"Bazooka-Joe" <bazooka-...@comcast.net> wrote in message
>
> news:0afc3b7b-e919-4016-96cb-(E-Mail Removed)...
>
>
>
> > Is it possible, within Windows DHCP (Windows Server 2003 R2 SP2), to
> > specify a range for wired clients and a separate range for wireless
> > clients?
>
> > Background: a small organization, two servers (both domain
> > controllers), one running DHCP. *Client systems connected to this
> > network fall in three categories:
>
> > 1. *Permanently wired desktop systems for office workers, members of
> > the domain.
> > 2. *Wireless notebook systems for office workers, members of the
> > domain.
> > 3. *Guest laptops needing Internet connectivity only, not members of
> > the domain, wirelessly connected.
>
> > All three client types will be getting their addresses from DHCP. *I
> > was thinking of disabling DHCP services on the wireless router
> > (Linksys) altogether. *I wanted to specify a range of IP's, perhaps
> > even on a different subnet for the wireless clients to keep them as
> > separated as possible from the domain. *Then create reservations for
> > the couple of laptops that are domain members, assuming that would
> > supercede whatever rules could be established to force wireless guests
> > to a different range/subnet.
>
> > Ideas? *Suggestions? *I'm open to anything at this point. *I'm just
> > beginning the design phase.
>
> > Thanks!- Hide quoted text -
>
> - Show quoted text -


I guess I should have stated originally, this is a VERY small, non-
profit organization with not much of a budget for this kind of work.
Most of the equipment I have at my disposal is either old, borrowed,
or was obtained cheaply/free. Labor to design and implement whatever
I come up with will be donated. So, perhaps I should re-phrase the
question. Sparing me the "you get what you pay for"
anecdotes...what's the most efficient way to accomplish separating
guest wireless connections that need Internet access only, from
legitimate office workers on both wired desktops and wireless
laptops? I cringe at the idea of trusting the Linksys router for
network security, but perhaps I'll need to do that if I can't separate
things out a little via DHCP.

Perhaps DHCP is not the tool to attempt isolation/segregation with.
But GPO's/IPsec will only apply to members of the domain and guests
will only interact with resources on the LAN at the level of the
router and DHCP server. I don't have too many other options right
now. The only networking equipment I have at my disposal is A) a DSL
modem, B) a wireless Linksys router, and C) a small 6-8 port switch
with little to no onboard intelligence (doubtful any VLAN
capabilities). No DMZ, no ISA, no proxy, no dedicated firewalls, etc.

Suggestions? Thanks!

You're not going to accomplish squat with GPO and DHCP with respect to this.

Have two Linksys boxes,...place them Back-to-Back between the LAN and the
Internet.

The outermost one needs to be wireless. This is the one Guest will use and
they can use either wired or wireless.

The innermost Linksys will be the one the LAN uses. It can be wireless as
well but I would recommend a separate WAP (not a "router") for the wireless
part of it

This will work fine and is "cheap".

Setting up "inbound connections" will be a problem,...but it doesn't sound
like you have any of those.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Bazooka-Joe" <bazooka-(E-Mail Removed)> wrote in message
news:00b3668a-6579-4595-a6ab-(E-Mail Removed)...
On Mar 25, 10:20 am, "Robert L. \(MS-MVP\)"
<blinNoEmailPle...@mvps.org> wrote:
> You may have many options. 1. If it is possible, setup a VLAN. For
> example,
> in our company, we have 3 VLAN, one for intranet/domain network, student
> and
> public. The student and public can't access domain network and they are in
> the different subnets.
>
> 2. You may setup the wireless router in the DMZ as a DHCP server.
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting
> onhttp://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access
> onhttp://www.HowToNetworking.com"Bazooka-Joe" <bazooka-...@comcast.net>
> wrote in message
>
> news:0afc3b7b-e919-4016-96cb-(E-Mail Removed)...
>
>
>
> > Is it possible, within Windows DHCP (Windows Server 2003 R2 SP2), to
> > specify a range for wired clients and a separate range for wireless
> > clients?
>
> > Background: a small organization, two servers (both domain
> > controllers), one running DHCP. Client systems connected to this
> > network fall in three categories:
>
> > 1. Permanently wired desktop systems for office workers, members of
> > the domain.
> > 2. Wireless notebook systems for office workers, members of the
> > domain.
> > 3. Guest laptops needing Internet connectivity only, not members of
> > the domain, wirelessly connected.
>
> > All three client types will be getting their addresses from DHCP. I
> > was thinking of disabling DHCP services on the wireless router
> > (Linksys) altogether. I wanted to specify a range of IP's, perhaps
> > even on a different subnet for the wireless clients to keep them as
> > separated as possible from the domain. Then create reservations for
> > the couple of laptops that are domain members, assuming that would
> > supercede whatever rules could be established to force wireless guests
> > to a different range/subnet.
>
> > Ideas? Suggestions? I'm open to anything at this point. I'm just
> > beginning the design phase.
>
> > Thanks!- Hide quoted text -
>
> - Show quoted text -


I guess I should have stated originally, this is a VERY small, non-
profit organization with not much of a budget for this kind of work.
Most of the equipment I have at my disposal is either old, borrowed,
or was obtained cheaply/free. Labor to design and implement whatever
I come up with will be donated. So, perhaps I should re-phrase the
question. Sparing me the "you get what you pay for"
anecdotes...what's the most efficient way to accomplish separating
guest wireless connections that need Internet access only, from
legitimate office workers on both wired desktops and wireless
laptops? I cringe at the idea of trusting the Linksys router for
network security, but perhaps I'll need to do that if I can't separate
things out a little via DHCP.

Perhaps DHCP is not the tool to attempt isolation/segregation with.
But GPO's/IPsec will only apply to members of the domain and guests
will only interact with resources on the LAN at the level of the
router and DHCP server. I don't have too many other options right
now. The only networking equipment I have at my disposal is A) a DSL
modem, B) a wireless Linksys router, and C) a small 6-8 port switch
with little to no onboard intelligence (doubtful any VLAN
capabilities). No DMZ, no ISA, no proxy, no dedicated firewalls, etc.

Suggestions? Thanks!