Second DHCP SERVER

MicroclothMicrocloth Southport, Queensland, AustraliaMember Posts: 5
First Comment
edited April 29 in Devices & Security
I have just joined the Premium membership of Fing in the hope that someone can put me on the straight and narrow with DHCP Servers.  FingBox has detected two active servers.  The first is my standard gateway.  The second identifies my Swann NVR16-8580 Security System as the source.   While setting up the NVR I set DHCP and it appears with one IP address on Fing.   The NVR shows that it has allocated an entirely different set of IP Addresses to each of the cameras attached.   They show up in Fing with MAC addresses but no IP address.   Can someone tell me if this is the norm for these systems and is the Fing warning of a vulnerability valid.   I assume that you can have two servers as long as they don't throw out conflicting IP Addresses.   I would be grateful for some advice as I am just getting into the realm of DHCP and the like.   On a follow up matter,  should I allocate static addresses to the cameras rather than as current or is this a security no-no or a potential for failure or is their any point in doing so.  The real question is - is this normal that only the NVR shows up in Fing and not the cameras?   Grateful for some clear advice on this as I don't want to poke around too much and wreck what currently works.  Regards...

Best Answers

  • MicroclothMicrocloth Southport, Queensland, AustraliaMember Posts: 5
    First Comment
    Accepted Answer
    I think you are right there Marc.   I was talking to Swann this morning and they confirmed that the NVR allocated its own IP Addresses to each of the cameras, ie.  My NVR is something like 192.18.0.200 but the cameras are conseq 172.166.0.1, 2,3, 4 etc.   The Swann chap thought they should all be visible in Fing by their IP address but that goes back to the two active DCHP servers.   I think I will just put up with it as I can see the camera output on my TV, iPad, iPhone and Desktop (Mac). using the various apps.  I would be interested in anyone else owning a Swann multi-camera ethernet connected system if they too get the two active server message and if their camera IPs are allocated by the NRV or by the Gateway DHCP.   Thanks for sticking with it.  I appreciate your thoughts and assistance.  Regards...
  • Tom_OUSATom_OUSA Member Posts: 3
    Photogenic First Answer First Comment
    Accepted Answer

    Microcloth, You are correct in all your assumptions. It is perfectly normal in a smaller network to have more than one DHCP server control the IP's for their own subnet. In the case of a DVR/NVR, it's likely much easier to turn on DHCP and allow it to assign IP's to the cameras. This way you don't have to manage them.

    Many applications have difficulty in finding all the IP's downstream of DHCP servers, while easily finding those attached to the same subnet that the PC or app is attached to. This can be from various issues.

    Don't forget, that routers and switches utilize mac address, not IP address. Hence, the ARP protocol comes into play to convert IP's to macs. And another point of confusion, the main router will have a resolution table, a PC can have a resolution table, an NVR can too. So, apps like Fing can have difficulty sorting it all out, working with multiple vendors, formats, and sometimes limited access privileges to the equipment.

    Fing will also have problems looking beyond WiFi extenders add well. Extenders spoof the mac address, usually the front 2 and rear 2 bytes. So, this breaks the naming and grouping functions of Fing.

    So, while Fing does a great job, especially compared to some others, it isn't perfect yet. For small networks it does quite well. For larger networks, Fings new parent company, LANSweeper, has a robust larger scale product that is designed for corporate networks. It's 100 device or less limit is free; devices are pc's, printers, routers, switches, monitors, IoT's, etc. It's a Windows or Mac install only, no mobile app. Very nice but complicated.

    Regards, Tom

    Microcloth

Answers

  • MarcMarc Moderator, Beta Tester Posts: 2,376
    100 Answers 1000 Comments 500 Likes 250 Awesomes
    ✭✭✭✭✭✭
    @Microcloth, I'll take a first stab at the DHCP aspect of this thread.  Yes you can have two DHCP Servers on the same segment, and as you mentioned, as long as you set them to give out different ranges, they will not conflict.  But, because DHCP requests are just broadcasted, any of your DHCP Servers can conceivably respond to a request from any object on the segment they cover.  There is no way to control this on a single segment other then having an intricate symphony of limited addresses, blacklists and Mac address reservations.  Even then it gets complicated.  For a small network, it makes little sense.  It would be much simpler to just turn DHCP off of one of the two machines giving the addresses out.

    As for the cameras not showing up, it could be because Fing is unable to resolve the IP addresses due to the dual DHCP server configuration you are using.  I could be wrong here and lets rope in @Robin from Fing to see if he can lend a bit of insight into this.
    Thats Daphnee, she's a good dog...
    Microcloth
  • MicroclothMicrocloth Southport, Queensland, AustraliaMember Posts: 5
    First Comment
    edited April 29
    Thanks Marc, I appreciate the response.   The arrangement that Swann appears to use seems to work OK as I didn’t realise it was a concern until Fing alerted me to it.   Hopefully someone can confirm if this is a serious security Concern  and needs to be fixed or I can live with it.   In searching other sources about this, I note that others can access individual cameras via their IP but maybe they weren’t Swann systems.   Cheers!
  • MarcMarc Moderator, Beta Tester Posts: 2,376
    100 Answers 1000 Comments 500 Likes 250 Awesomes
    ✭✭✭✭✭✭
    edited April 29
    Fing might be raising this as a concern probably in the scenario of someone setting up a rogue DHCP server on your network and maybe that would be a security concern in general.  But as you know they both exist and they are both yours, this would appears not to be an issue.
    Thats Daphnee, she's a good dog...
    Microcloth
  • hopkins35hopkins35 Member Posts: 16
    10 Comments First Answer 5 Agrees 5 Likes
    edited May 1
    @Microcloth you haven't mentioned what type of DHCP servers these are. Microsoft DHCP servers, in a multi-DHCP environment can and should be setup in a failover/load balancing mode so as to not conflict with one another, see my answer here for a brief explanation of how this works.
    If you are working with DHCP servers that don't have this ability i.e. simple DHCP servers built into a home router, for example, then you should not have more than one operating on the same subnet because DHCP as a process is relatively dumb and the client device will simply deal with which ever server responds quickest and this will lead to IP address conflicts. As a most basic fix you might find a setting that you can tweak that delays the response of one of the servers to give you a fudged form of failover
  • MicroclothMicrocloth Southport, Queensland, AustraliaMember Posts: 5
    First Comment
    Thanks for the follow up Hopkins35.  Sorry for the delay in responding.  I am not sure what type of DHCP server these are - I in grey water here.  For want of appearing ignorant - I use a Mac - connecting to the Telstra Gateway through their provided modem. The second is obviously within the Swann Security System NVR which allocates its unique IP address as soon as a camera is attached.   The addresses are totally different to the Gateway DHCP allocation.   I have had no issue of conflict yet but that is so far.   One issue I have noticed is that of the 12 cameras I have attached, Fing only sees the MAC address of 11 of them.  It has no problem picking up the NVR itself as its IP address is allocated by the Gateway DHCP server.  I am concerned only because Fing highlights the problem of having two active servers.   Thanks again for the suggestion.
  • MicroclothMicrocloth Southport, Queensland, AustraliaMember Posts: 5
    First Comment
    Thanks Tom_OUSA.   That is a great explanation and eases my concerns.  I am grateful for your time taken to lay it out.  Thanks also to all who jumped in to help.  This board is a good resource for we who are a wee bit out of our depth.  All the best from Aussie!
Sign In or Register to comment.