DHCP for Public Wifi


(Brad Crawley) #1

What are the larger churches using for public WiFi DHCP? We have over 2000 clients on a weekend and our public WiFi DHCP server struggles to keep up.

We are currently using Open DHCP on a Windows 2012 R2 server. I would love to use Windows DHCP but I can’t afford to pay for CALs for all of the public clients. I use Windows DHCP on our private network and we have no issues with DHCP on our private network.

We have a SonicWall NSA 3600 and I tried using DHCP on it for public WiFi but it struggled more than Open DHCP.

What happens is people all of a sudden stop receiving addresses. Once the crowd dies down it starts working again.

I know there are larger churches than us out there that have tackled this issue. I would appreciate any guidance! Thank you!


(Chris Green) #2

Even if you run a third-party DHCP server you are subject to the CAL requirements if it is running on Windows. Before 4/1/2018 I would have told you to go get a super cheap External Connector License but they are now no longer donation eligible. That said, that still may be cheaper than your other options. I would look at the following.

  1. Purchase External Connector License and run Windows DHCP. Cost is $795 per VM Host or physical server. (Previously $250 as donation)
  2. Install a Linux VM and run a lightweight DHCPd.
  3. Consider other devices on your network that might be able to serve DHCP (Cisco Switches, etc.)

(Chris Green) #3

BTW you might be able to make the DHCPd on the Sonicwall perform adequately with some tuning. Did you disable bad address scanning? That process slows down respond too much.


(Brad Crawley) #4

I thought I read somewhere that External Connector License wouldn’t cover DHCP for public WiFi. If I read that wrong I’d gladly pay the $795. We never had any issues when I was using Windows DHCP on the public side.

I setup the sonic wall using the default settings for DHCP.


(Alex Conner) #5

image

image

Any user accessing any service hosted on a server running Windows (or proxied to a server running Windows) requires CAL Licensing even if the software they are accessing isn’t a Microsoft product directly. You’re licensing the access to the server, not the software itself. Some services have exemptions, like IIS when serving pages to users who don’t log in, or Exchange allowing sending servers to connect inbound without explicit licensing. And other products, like SQL or Sharepoint, have their own licensing on top of Windows. But DHCP requires a CAL, and even your MFPs need to be covered.

If you follow the standard practice of licensing user CALs, then your user/workgroup MFPs are typically covered under that, as well as their mobile devices, personal devices, etc. so the remaining folks are visitors to your facility and easily covered by an external connector.

All that said, aside from defective DHCP implementations like Sonicwall, generally when I’ve run into trouble allocating addresses over WiFi it’s due to a signal or stability issue on the wireless side. It looks like Open DHCP uses text configuration files, so if you’re comfortable it’s always worth trying out ISC-DHCP-DAEMON as well. It’s absolutely rock solid and will run alongside BIND or Unbound on a 128 MB Debian VM and not need touched.


(Bob Bauman) #6

Brad,

We have fewer clients than you do (peaks at 400-500 concurrent connections on a Sunday morning, don’t know how many total). I use a Linux VM for DHCP and it has worked very well. That VM also performs routing, content filtering, logging, DNS and firewalling for the public wifi. It’s never had an issue handling those functions.

The MS licensing rules hurt my head, and the licenses cost real money, so to avoid that, I make use of a number of Linux VM’s to provide various services. For me, Linux VM’s are a necessity.

Bob


(Beau de Graaf) #7

Either a custom PC with PFSense running, a MacMini running OS X Server App or my current favorite, Ubiquiti Edgerouter Lite ERLITE-3 Desktop Router.

-Beau


(Isaac Johnson) #8

Try Zentyal or ClearOS if you are new to Linux and need to run some services like DHCP and aren’t a CLI warrior. You can get things running pretty easy-peasy on those two. I usually use Linux for the entire server infrastructure unless there is some app that requires a Windows server.


(Norman Ho) #9

Can consider Meraki network devices.

Enable NAT
Centralized DHCP servers often fail or become slow when hundreds or thousands of clients request an IP address in a short time. Imagine all those conference attendees attempting to join the network at the same time. Painful! We strongly recommend enabling Meraki NAT, which spreads the DHCP load among all the APs.


(Chris Green) #10

It is definitely one of the specific scenarios that Microsoft uses as an example in their Q&A doc on the subject. You also need it if you’re running any sort of member portal on IIS (Rock, Ministry Platform, Arena, etc.) that isn’t hosted somewhere using SPLA licensing. As soon as a user authenticates to a site on IIS it requires a CAL, no matter how that authentication happens.


(BA) #11

+1 for running ISC DHCP…should be able to run it on pretty much any *nix machine (or virtual)…if you are uncomfortable in *nix, webmin may help


(Mark Simmons) #12

We went the Meraki route for DHCP. Have an MX-84 that is handling 500-700 clients a day with no performance issues. I know you are considerably north of that number. But still hope this helps.


(Norman Ho) #13

Meraki Recommendations:
MX84 for 200 clients
MX100 for 500 clients
MX250 for 2,000 clients

I am sure the limit is higher for each as you don’t get so many concurrent connections at the same time.


(Derek Schwab) #14

We use a windows server. We run well over 2000 on the guest network at peak times and no issues. Yes, it requires a windows license and external connector license. But we already have those and would need them regardless of whether we run DHCP so there no additional cost.


(Norman Ho) #15

This might help.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/759becd0-9fbe-44e6-aac8-6f50036294c2/windows-2008-r2-x64-dhcp-server-maximum-scope-?forum=winserverNIS


(Greg Brenneman) #16

We have an NSA 2600 which we use for all WiFi, Private or Public, and it handles the DHCP (and other duties) with no problems. It sounds like you are running out of addresses. We put our public WiFi Vlan in a subnet range that allows for expansion. We currently have up to 2000 addresses available, run about 450 on Sunday.

Also, be sure to set a short enough lease time so addresses given out Sunday morning expire before Sunday night.

  • Greg