ISC DHCP Users

IPv4 Private Address Space

Classic

List

Threaded

9 messages Options

Louis Garcia

IPv4 Private Address Space

According to standards set forth in Internet Engineering Task Force
(IETF) document RFC-1918, the following IPv4 address ranges are
reserved by the IANA for private internets,

10.0.0.0/8 IP addresses: 10.0.0.0 – 10.255.255.255
172.16.0.0/12 IP addresses: 172.16.0.0 – 172.31.255.255
192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255

dhcpd does not seem to like subnet/mask combination.

authoritative;
default-lease-time 600;
max-lease-time 7200;
subnet 172.16.4.0 netmask 255.240.0.0 {
option domain-name-servers 172.16.4.1;
option broadcast-address 172.31.255.255;
option routers 172.16.4.1;
option ntp-servers 172.16.4.1;
range 172.16.4.50 172.16.4.254;
}

May 11 16:07:01 dhcpd[4540]: Internet Systems Consortium DHCP Server 4.4.2b1
May 11 16:07:01 dhcpd[4540]: Copyright 2004-2019 Internet Systems Consortium.
May 11 16:07:01 dhcpd[4540]: All rights reserved.
May 11 16:07:01 dhcpd[4540]: For info, please visit
https://www.isc.org/software/dhcp/
May 11 16:07:01 dhcpd[4540]: /etc/dhcp/dhcpd.conf line 4: subnet
172.16.4.0 netmask 255.240.0.0: bad subnet number/mask combination.
May 11 16:07:01 dhcpd[4540]: subnet 172.16.4.0 netmask 255.240.0.0
May 11 16:07:01 dhcpd[4540]:
^
May 11 16:07:01 dhcpd[4540]: Configuration file errors encountered -- exiting
May 11 16:07:01 dhcpd[4540]:
May 11 16:07:01 dhcpd[4540]: This version of ISC DHCP is based on the
release available
May 11 16:07:01 dhcpd[4540]: on ftp.isc.org. Features have been added
and other changes
May 11 16:07:01 dhcpd[4540]: have been made to the base software
release in order to make
May 11 16:07:01 dhcpd[4540]: it work better with this distribution.
May 11 16:07:01 dhcpd[4540]:
May 11 16:07:01 dhcpd[4540]: Please report issues with this software via:
May 11 16:07:01 dhcpd[4540]: https://bugzilla.redhat.com/
May 11 16:07:01 dhcpd[4540]:
May 11 16:07:01 dhcpd[4540]: exiting.
May 11 16:07:01 dhcpd.service: Main process exited, code=exited,
status=1/FAILURE
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Rudy Zijlstra

Re: IPv4 Private Address Space

Hi

On 11-05-2021 23:38, Louis Garcia wrote:

> According to standards set forth in Internet Engineering Task Force
> (IETF) document RFC-1918, the following IPv4 address ranges are
> reserved by the IANA for private internets,
>
> 10.0.0.0/8 IP addresses: 10.0.0.0 – 10.255.255.255
> 172.16.0.0/12 IP addresses: 172.16.0.0 – 172.31.255.255
> 192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255
>
> dhcpd does not seem to like subnet/mask combination.
>
> authoritative;
> default-lease-time 600;
> max-lease-time 7200;
> subnet 172.16.4.0 netmask 255.240.0.0 {
> option domain-name-servers 172.16.4.1;
> option broadcast-address 172.31.255.255;
> option routers 172.16.4.1;
> option ntp-servers 172.16.4.1;
> range 172.16.4.50 172.16.4.254;

You are using only a /24 (255.255.255.0). Why then the huge netmask
above? This would cause an enormous memory allocation which seems
totally uncalled for.

Cheers

Rudy
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Thor Simon

RE: IPv4 Private Address Space

In reply to this post by Louis Garcia

What exactly are you trying to do? There is not a /12 (255.240.0.0 netmask) of addresses available starting at 172.16.4.0 -- you have given the mask and broadcast address for the entire 172.16.0.0/12 containing range, but your subnet address is offset from the start of the containing netblock by 1024 addresses. The DHCP server is entirely right to reject this nonsensical configuration.

Do you have an existing /22 at 172.16.0.0 that you're trying to work around?

Thor

-----Original Message-----
From: dhcp-users <[hidden email]> On Behalf Of Louis Garcia
Sent: Tuesday, May 11, 2021 5:39 PM
To: Users of ISC DHCP <[hidden email]>
Subject: IPv4 Private Address Space

According to standards set forth in Internet Engineering Task Force
(IETF) document RFC-1918, the following IPv4 address ranges are reserved by the IANA for private internets,

10.0.0.0/8 IP addresses: 10.0.0.0 – 10.255.255.255
172.16.0.0/12 IP addresses: 172.16.0.0 – 172.31.255.255
192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255

dhcpd does not seem to like subnet/mask combination.

authoritative;
default-lease-time 600;
max-lease-time 7200;
subnet 172.16.4.0 netmask 255.240.0.0 {
option domain-name-servers 172.16.4.1;
option broadcast-address 172.31.255.255;
option routers 172.16.4.1;
option ntp-servers 172.16.4.1;
range 172.16.4.50 172.16.4.254;
}

May 11 16:07:01 dhcpd[4540]: Internet Systems Consortium DHCP Server 4.4.2b1 May 11 16:07:01 dhcpd[4540]: Copyright 2004-2019 Internet Systems Consortium.
May 11 16:07:01 dhcpd[4540]: All rights reserved.
May 11 16:07:01 dhcpd[4540]: For info, please visit https://www.isc.org/software/dhcp/
May 11 16:07:01 dhcpd[4540]: /etc/dhcp/dhcpd.conf line 4: subnet
172.16.4.0 netmask 255.240.0.0: bad subnet number/mask combination.
May 11 16:07:01 dhcpd[4540]: subnet 172.16.4.0 netmask 255.240.0.0 May 11 16:07:01 dhcpd[4540]:
^
May 11 16:07:01 dhcpd[4540]: Configuration file errors encountered -- exiting May 11 16:07:01 dhcpd[4540]:
May 11 16:07:01 dhcpd[4540]: This version of ISC DHCP is based on the release available May 11 16:07:01 dhcpd[4540]: on ftp.isc.org. Features have been added and other changes May 11 16:07:01 dhcpd[4540]: have been made to the base software release in order to make May 11 16:07:01 dhcpd[4540]: it work better with this distribution.
May 11 16:07:01 dhcpd[4540]:
May 11 16:07:01 dhcpd[4540]: Please report issues with this software via:
May 11 16:07:01 dhcpd[4540]: https://bugzilla.redhat.com/ May 11 16:07:01 dhcpd[4540]:
May 11 16:07:01 dhcpd[4540]: exiting.
May 11 16:07:01 dhcpd.service: Main process exited, code=exited, status=1/FAILURE _______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Louis Garcia

Re: IPv4 Private Address Space

On Tue, May 11, 2021 at 5:51 PM Thor Simon <[hidden email]> wrote:

>
> What exactly are you trying to do? There is not a /12 (255.240.0.0 netmask) of addresses available starting at 172.16.4.0 -- you have given the mask and broadcast address for the entire 172.16.0.0/12 containing range, but your subnet address is offset from the start of the containing netblock by 1024 addresses. The DHCP server is entirely right to reject this nonsensical configuration.
>
> Do you have an existing /22 at 172.16.0.0 that you're trying to work around?
>
> Thor
>
> -----Original Message-----
> From: dhcp-users <[hidden email]> On Behalf Of Louis Garcia
> Sent: Tuesday, May 11, 2021 5:39 PM
> To: Users of ISC DHCP <[hidden email]>
> Subject: IPv4 Private Address Space
>
> According to standards set forth in Internet Engineering Task Force
> (IETF) document RFC-1918, the following IPv4 address ranges are reserved by the IANA for private internets,
>
> 10.0.0.0/8 IP addresses: 10.0.0.0 – 10.255.255.255
> 172.16.0.0/12 IP addresses: 172.16.0.0 – 172.31.255.255
> 192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255
>
> dhcpd does not seem to like subnet/mask combination.
>
> authoritative;
> default-lease-time 600;
> max-lease-time 7200;
> subnet 172.16.4.0 netmask 255.240.0.0 {
> option domain-name-servers 172.16.4.1;
> option broadcast-address 172.31.255.255;
> option routers 172.16.4.1;
> option ntp-servers 172.16.4.1;
> range 172.16.4.50 172.16.4.254;
> }
>
> May 11 16:07:01 dhcpd[4540]: Internet Systems Consortium DHCP Server 4.4.2b1 May 11 16:07:01 dhcpd[4540]: Copyright 2004-2019 Internet Systems Consortium.
> May 11 16:07:01 dhcpd[4540]: All rights reserved.
> May 11 16:07:01 dhcpd[4540]: For info, please visit https://www.isc.org/software/dhcp/
> May 11 16:07:01 dhcpd[4540]: /etc/dhcp/dhcpd.conf line 4: subnet
> 172.16.4.0 netmask 255.240.0.0: bad subnet number/mask combination.
> May 11 16:07:01 dhcpd[4540]: subnet 172.16.4.0 netmask 255.240.0.0 May 11 16:07:01 dhcpd[4540]:
> ^
> May 11 16:07:01 dhcpd[4540]: Configuration file errors encountered -- exiting May 11 16:07:01 dhcpd[4540]:
> May 11 16:07:01 dhcpd[4540]: This version of ISC DHCP is based on the release available May 11 16:07:01 dhcpd[4540]: on ftp.isc.org. Features have been added and other changes May 11 16:07:01 dhcpd[4540]: have been made to the base software release in order to make May 11 16:07:01 dhcpd[4540]: it work better with this distribution.
> May 11 16:07:01 dhcpd[4540]:
> May 11 16:07:01 dhcpd[4540]: Please report issues with this software via:
> May 11 16:07:01 dhcpd[4540]: https://bugzilla.redhat.com/ May 11 16:07:01 dhcpd[4540]:
> May 11 16:07:01 dhcpd[4540]: exiting.
> May 11 16:07:01 dhcpd.service: Main process exited, code=exited, status=1/FAILURE _______________________________________________
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
> dhcp-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/dhcp-users
> _______________________________________________
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
> dhcp-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/dhcp-users

Currently I have three networks 172.16.2.0/24 172.16.3.0/24
172.16.4.0/24. I read that not all of 172.16.0.0 is private, only
172.16.0.0/12. I am trying to not have public routable IPs on my
network. Please let me know if this setup is fine.

# DHCP Server Configuration file.

authoritative;
default-lease-time 600;
max-lease-time 7200;

# Client system architecture type: RFC4578
option arch code 93 = unsigned integer 16;

subnet 172.16.2.0 netmask 255.255.255.0 {
option domain-name-servers 172.16.2.1;
option broadcast-address 172.16.2.255;
option routers 172.16.2.1;
option ntp-servers 172.16.2.1;
range 172.16.2.50 172.16.2.254;
if option arch = 00:07 {
filename "/grub/shim.efi";
}
next-server 172.16.2.5;
}

subnet 172.16.3.0 netmask 255.255.255.0 {
option domain-name-servers 172.16.3.1;
option broadcast-address 172.16.3.255;
option routers 172.16.3.1;
option ntp-servers 172.16.3.1;
range 172.16.3.50 172.16.3.254;
}

subnet 172.16.4.0 netmask 255.255.255.0 {
option domain-name-servers 172.16.4.1;
option broadcast-address 172.16.4.255;
option routers 172.16.4.1;
option ntp-servers 172.16.4.1;
range 172.16.4.50 172.16.4.254;
}
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Rudy Zijlstra

Re: IPv4 Private Address Space

On 12-05-2021 00:04, Louis Garcia wrote:

> On Tue, May 11, 2021 at 5:51 PM Thor Simon <[hidden email]> wrote:
>> What exactly are you trying to do? There is not a /12 (255.240.0.0 netmask) of addresses available starting at 172.16.4.0 -- you have given the mask and broadcast address for the entire 172.16.0.0/12 containing range, but your subnet address is offset from the start of the containing netblock by 1024 addresses. The DHCP server is entirely right to reject this nonsensical configuration.
>>
>> Do you have an existing /22 at 172.16.0.0 that you're trying to work around?
>>
>> T
> Currently I have three networks 172.16.2.0/24 172.16.3.0/24
> 172.16.4.0/24. I read that not all of 172.16.0.0 is private, only
> 172.16.0.0/12. I am trying to not have public routable IPs on my
> network. Please let me know if this setup is fine.
>
> # DHCP Server Configuration file.
>
> authoritative;
> default-lease-time 600;
> max-lease-time 7200;
>
> # Client system architecture type: RFC4578
> option arch code 93 = unsigned integer 16;
>
> subnet 172.16.2.0 netmask 255.255.255.0 {
> option domain-name-servers 172.16.2.1;
> option broadcast-address 172.16.2.255;
> option routers 172.16.2.1;
> option ntp-servers 172.16.2.1;
> range 172.16.2.50 172.16.2.254;
> if option arch = 00:07 {
> filename "/grub/shim.efi";
> }
> next-server 172.16.2.5;
> }
>
> subnet 172.16.3.0 netmask 255.255.255.0 {
> option domain-name-servers 172.16.3.1;
> option broadcast-address 172.16.3.255;
> option routers 172.16.3.1;
> option ntp-servers 172.16.3.1;
> range 172.16.3.50 172.16.3.254;
> }
>
> subnet 172.16.4.0 netmask 255.255.255.0 {
> option domain-name-servers 172.16.4.1;
> option broadcast-address 172.16.4.255;
> option routers 172.16.4.1;
> option ntp-servers 172.16.4.1;
> range 172.16.4.50 172.16.4.254;
> }

This one should work, yes

Rudy

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

José Queiroz

Re: IPv4 Private Address Space

In reply to this post by Louis Garcia

Em ter., 11 de mai. de 2021 às 19:04, Louis Garcia <[hidden email]> escreveu:

Currently I have three networks 172.16.2.0/24 172.16.3.0/24
172.16.4.0/24. I read that not all of 172.16.0.0 is private, only
172.16.0.0/12. I am trying to not have public routable IPs on my
network. Please let me know if this setup is fine.

172.16.0.0 is all private.

As so is 172.17. 172.18 ando so on, until 172.31.0.0. In fact, the reserved address space starts on 172.16.0.1 and goes all the way through 172.31.255.254. This is what the "/12" prefix means. Note that bigger networks use smaller prefixes, and smaller networks use bigger prefixes.

Your networks 172.16.2.0/24, 172.16.3.0/24 and 172.16.4.0/24 are a tiny portion of the original network. In fact, you could easily use the "255.255.248.0" (/21) netmask to describe them.

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Simon Hobson

Re: IPv4 Private Address Space

In reply to this post by Louis Garcia

Louis Garcia <[hidden email]> wrote:

>> According to standards set forth in Internet Engineering Task Force
>> (IETF) document RFC-1918, the following IPv4 address ranges are reserved by the IANA for private internets,
>>
>> 10.0.0.0/8 IP addresses: 10.0.0.0 – 10.255.255.255
>> 172.16.0.0/12 IP addresses: 172.16.0.0 – 172.31.255.255
>> 192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255

Correct.
But just because 172.16.0.0/12 is reserved doesn't mean you have to use all 1,048,576 addresses in that block, and you don't have to use /12 as your mask. The /12 here simply tells you that everything from 172.16.0.0 to 172.31.255.255 is in that reserved space.
The DHCP server will not allocate anything you haven't told it to, and your border routers (and certainly your ISP) should be filtering any of these RFC1918 address out - "nothing out, nothing in" should be the policy for them.
Also, because of the way the server works, it's a really bad idea to create large blocks (though I think relates to ranges, rather than subnets) as it makes in-memory tables huge.

>> dhcpd does not seem to like subnet/mask combination.
>>
>> authoritative;
>> default-lease-time 600;
>> max-lease-time 7200;
>> subnet 172.16.4.0 netmask 255.240.0.0 {
>> option domain-name-servers 172.16.4.1;
>> option broadcast-address 172.31.255.255;
>> option routers 172.16.4.1;
>> option ntp-servers 172.16.4.1;
>> range 172.16.4.50 172.16.4.254;
>> }

Yes, as already mentioned, that's not a valid address & mask.

> Currently I have three networks 172.16.2.0/24 172.16.3.0/24
> 172.16.4.0/24. I read that not all of 172.16.0.0 is private, only
> 172.16.0.0/12. I am trying to not have public routable IPs on my
> network. Please let me know if this setup is fine.
>
> # DHCP Server Configuration file.
>
> authoritative;
> default-lease-time 600;
> max-lease-time 7200;
>
> # Client system architecture type: RFC4578
> option arch code 93 = unsigned integer 16;
>
> subnet 172.16.2.0 netmask 255.255.255.0 {
> option domain-name-servers 172.16.2.1;
> option broadcast-address 172.16.2.255;
> option routers 172.16.2.1;
> option ntp-servers 172.16.2.1;
> range 172.16.2.50 172.16.2.254;
> if option arch = 00:07 {
> filename "/grub/shim.efi";
> }
> next-server 172.16.2.5;
> }
>
> subnet 172.16.3.0 netmask 255.255.255.0 {
> option domain-name-servers 172.16.3.1;
> option broadcast-address 172.16.3.255;
> option routers 172.16.3.1;
> option ntp-servers 172.16.3.1;
> range 172.16.3.50 172.16.3.254;
> }
>
> subnet 172.16.4.0 netmask 255.255.255.0 {
> option domain-name-servers 172.16.4.1;
> option broadcast-address 172.16.4.255;
> option routers 172.16.4.1;
> option ntp-servers 172.16.4.1;
> range 172.16.4.50 172.16.4.254;
> }

Yes, that's just fine.

Simon

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Philippe Maechler

Re: IPv4 Private Address Space

sorry to hijack this thread. i often read about the memory usage when one uses larger subnets/ranges.

what are larger subnets?

at $dayjob we use lots of /24, several hundreds /30 and about two dozens /20. the memory usage on a recent server is ignorable and the startup times are also way below one minute...

how is it with dhcpv6? there we have even larger pools with ia-na, -pd and -ta. is the memory "setup" different?

tia

philippe

Simon Hobson <[hidden email]> schrieb am Mi., 12. Mai 2021, 14:22:

Louis Garcia <[hidden email]> wrote:

>> According to standards set forth in Internet Engineering Task Force
>> (IETF) document RFC-1918, the following IPv4 address ranges are reserved by the IANA for private internets,
>>
>> 10.0.0.0/8 IP addresses: 10.0.0.0 – 10.255.255.255
>> 172.16.0.0/12 IP addresses: 172.16.0.0 – 172.31.255.255
>> 192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255

Correct.
But just because 172.16.0.0/12 is reserved doesn't mean you have to use all 1,048,576 addresses in that block, and you don't have to use /12 as your mask. The /12 here simply tells you that everything from 172.16.0.0 to 172.31.255.255 is in that reserved space.
The DHCP server will not allocate anything you haven't told it to, and your border routers (and certainly your ISP) should be filtering any of these RFC1918 address out - "nothing out, nothing in" should be the policy for them.
Also, because of the way the server works, it's a really bad idea to create large blocks (though I think relates to ranges, rather than subnets) as it makes in-memory tables huge.

>> dhcpd does not seem to like subnet/mask combination.
>>
>> authoritative;
>> default-lease-time 600;
>> max-lease-time 7200;
>> subnet 172.16.4.0 netmask 255.240.0.0 {
>> option domain-name-servers 172.16.4.1;
>> option broadcast-address 172.31.255.255;
>> option routers 172.16.4.1;
>> option ntp-servers 172.16.4.1;
>> range 172.16.4.50 172.16.4.254;
>> }

Yes, as already mentioned, that's not a valid address & mask.

> Currently I have three networks 172.16.2.0/24 172.16.3.0/24
> 172.16.4.0/24. I read that not all of 172.16.0.0 is private, only
> 172.16.0.0/12. I am trying to not have public routable IPs on my
> network. Please let me know if this setup is fine.
>
> # DHCP Server Configuration file.
>
> authoritative;
> default-lease-time 600;
> max-lease-time 7200;
>
> # Client system architecture type: RFC4578
> option arch code 93 = unsigned integer 16;
>
> subnet 172.16.2.0 netmask 255.255.255.0 {
> option domain-name-servers 172.16.2.1;
> option broadcast-address 172.16.2.255;
> option routers 172.16.2.1;
> option ntp-servers 172.16.2.1;
> range 172.16.2.50 172.16.2.254;
> if option arch = 00:07 {
> filename "/grub/shim.efi";
> }
> next-server 172.16.2.5;
> }
>
> subnet 172.16.3.0 netmask 255.255.255.0 {
> option domain-name-servers 172.16.3.1;
> option broadcast-address 172.16.3.255;
> option routers 172.16.3.1;
> option ntp-servers 172.16.3.1;
> range 172.16.3.50 172.16.3.254;
> }
>
> subnet 172.16.4.0 netmask 255.255.255.0 {
> option domain-name-servers 172.16.4.1;
> option broadcast-address 172.16.4.255;
> option routers 172.16.4.1;
> option ntp-servers 172.16.4.1;
> range 172.16.4.50 172.16.4.254;
> }

Yes, that's just fine.

Simon

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Bob Harold

Re: IPv4 Private Address Space

At the University of Michigan, the smaller DHCP servers use about 100mb of ram for the dhcpd process. The largest servers use about 350mb ram to serve 270,000 dynamic DHCP addresses.

So a difference of 250mb ram looks like about 1kb ram per IP address in the DHCP ranges, would be my guess. (Did I get that right?)

--
Bob Harold

DNS and DHCP Hostmaster - UMNet
Information and Technology Services (ITS)
[hidden email] 734-512-7038

On Wed, May 12, 2021 at 3:06 PM Philippe Maechler <[hidden email]> wrote:

sorry to hijack this thread. i often read about the memory usage when one uses larger subnets/ranges.

what are larger subnets?

at $dayjob we use lots of /24, several hundreds /30 and about two dozens /20. the memory usage on a recent server is ignorable and the startup times are also way below one minute...

how is it with dhcpv6? there we have even larger pools with ia-na, -pd and -ta. is the memory "setup" different?

tia
philippe

Simon Hobson <[hidden email]> schrieb am Mi., 12. Mai 2021, 14:22:
Louis Garcia <[hidden email]> wrote:

>> According to standards set forth in Internet Engineering Task Force
>> (IETF) document RFC-1918, the following IPv4 address ranges are reserved by the IANA for private internets,
>>
>> 10.0.0.0/8 IP addresses: 10.0.0.0 – 10.255.255.255
>> 172.16.0.0/12 IP addresses: 172.16.0.0 – 172.31.255.255
>> 192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255

Correct.
But just because 172.16.0.0/12 is reserved doesn't mean you have to use all 1,048,576 addresses in that block, and you don't have to use /12 as your mask. The /12 here simply tells you that everything from 172.16.0.0 to 172.31.255.255 is in that reserved space.
The DHCP server will not allocate anything you haven't told it to, and your border routers (and certainly your ISP) should be filtering any of these RFC1918 address out - "nothing out, nothing in" should be the policy for them.
Also, because of the way the server works, it's a really bad idea to create large blocks (though I think relates to ranges, rather than subnets) as it makes in-memory tables huge.

>> dhcpd does not seem to like subnet/mask combination.
>>
>> authoritative;
>> default-lease-time 600;
>> max-lease-time 7200;
>> subnet 172.16.4.0 netmask 255.240.0.0 {
>> option domain-name-servers 172.16.4.1;
>> option broadcast-address 172.31.255.255;
>> option routers 172.16.4.1;
>> option ntp-servers 172.16.4.1;
>> range 172.16.4.50 172.16.4.254;
>> }

Yes, as already mentioned, that's not a valid address & mask.

> Currently I have three networks 172.16.2.0/24 172.16.3.0/24
> 172.16.4.0/24. I read that not all of 172.16.0.0 is private, only
> 172.16.0.0/12. I am trying to not have public routable IPs on my
> network. Please let me know if this setup is fine.
>
> # DHCP Server Configuration file.
>
> authoritative;
> default-lease-time 600;
> max-lease-time 7200;
>
> # Client system architecture type: RFC4578
> option arch code 93 = unsigned integer 16;
>
> subnet 172.16.2.0 netmask 255.255.255.0 {
> option domain-name-servers 172.16.2.1;
> option broadcast-address 172.16.2.255;
> option routers 172.16.2.1;
> option ntp-servers 172.16.2.1;
> range 172.16.2.50 172.16.2.254;
> if option arch = 00:07 {
> filename "/grub/shim.efi";
> }
> next-server 172.16.2.5;
> }
>
> subnet 172.16.3.0 netmask 255.255.255.0 {
> option domain-name-servers 172.16.3.1;
> option broadcast-address 172.16.3.255;
> option routers 172.16.3.1;
> option ntp-servers 172.16.3.1;
> range 172.16.3.50 172.16.3.254;
> }
>
> subnet 172.16.4.0 netmask 255.255.255.0 {
> option domain-name-servers 172.16.4.1;
> option broadcast-address 172.16.4.255;
> option routers 172.16.4.1;
> option ntp-servers 172.16.4.1;
> range 172.16.4.50 172.16.4.254;
> }

Yes, that's just fine.

Simon

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users