Router – How WANs work and why it is it bad to run DNS and DHCP on a router

dhcpdnspfsenserouterwan

I have some networking questions about isolating networks and why it's bad to run DHCP and DNS on a router and should be run on a server.

Question 1:

What is the purpose of the WAN interface and how does it separate a local virtual environment from the public internet? And how is it similar to a cable modem?

Question 2:

DNS and DHCP are typically running on a server; why is it not a good idea to run these services on a router?

Best Answer

WAN is a very subjective term. Routers have interfaces. Some types of router interfaces are more likely to be used as or called WAN interfaces. For example, PPP, HDLC, Frame relay, etc. are rarely used internally in a company, and are generally considered WAN protocols. On the other hand, ethernet, token ring, Wi-Fi, etc. are generally used on an internal LAN. Each of those protocols could actually be used on a WAN or a LAN.

In general, a WAN is a network connecting geographically separate locations.

DNS and DHCP are not actually router functions. Many router vendors include such server software in their router software. The problem is that the router versions of the servers are limited compared to a dedicated server, and you may not want to use router resources (RAM and CPU) to do these functions on a busy router. The real point of a router is to route packets as quickly and efficiently as possible, and running servers can interfere with the primary routing function.

Related Solutions

Cisco – Advice for network & device configuration using Comcast Modem

When you have the modem in bridge mode, your laptop works because it is using DHCP to get its IP address and other information from Comcast. You will need to set the router to do the same thing.

I have this same setup with a my cable Internet provider with a Cisco ISR G2 router:

interface GigabitEthernet0/0
 description WAN
 ip address dhcp
 ip access-group WAN_Firewall in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect WAN_Inspect out
 ip virtual-reassembly in
 ip verify unicast source reachable-via rx allow-default 100
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
 service-policy output QoS-WAN-Out
end

You need to have your router receive DHCP for its WAN address. You will also need to configure NAT and DHCP (unless you have that on another server) on the router.

The full configurations for your firewall, NAT, DHCP, etc. are too broad to cover.

pfSense – Port Forwarding on Double-NAT Setup

I think you really just need to disable NAT on the pfSense router/firewall. You simply don't need to use NAT to route or use the firewall. You can use the firewall to disallow users from accessing the ISP services, and you get the boot services that work on pfSense. This should solve the double-NAT port forwarding problem.

The pfSense documentation tell you how to disable the firewall:

Disable NAT

To completely disable NAT to have a routing-only firewall, do the following.

pfSense 2.2 And Later

Navigate to Firewall > NAT on the Outbound tab

Select Disable Outbound NAT rule generation (No Outbound NAT rules)

Click Save

Apply changes

Prior Versions

Navigate to Firewall > NAT on the Outbound tab

Select Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))

Click Save

Delete all rules from the list on the page

Click Apply changes

NAT may be performed on some interfaces and not others by configuring Outbound NAT rules accordingly.

Details may be found in the pfSense book.

Best Answer

Related Solutions

Cisco – Advice for network & device configuration using Comcast Modem

pfSense – Port Forwarding on Double-NAT Setup

Disable NAT

pfSense 2.2 And Later

Prior Versions

Related Topic