Problem with shared-network

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with shared-network

robert
I have a Debian 7.0 running isc-dhcp-server 4.2.2.

My server has a single NIC, and using iproute, I've added additional
addresses (some lines snipped for brevity):

eth0      Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
          inet addr:192.168.220.111  Bcast:192.168.220.255
Mask:255.255.255.0

eth0:1    Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
          inet addr:10.111.111.1  Bcast:10.255.255.255  Mask:255.255.255.0

My goal is for the dhcp server to hand out unknown clients addresses from
the 10.111.111.X pool, and known client to get something from the
192.168.220.X pool. Since these are on the same subnet, I [believe] this
requires a shared-network block. My dhcpd.conf file looks like (with
comments and global options stripped out for brevity):

shared-network my-net {
        subnet 192.168.200.0 netmask 255.255.255.0 {
                range 192.168.200.194 192.168.200.200;
                range 192.168.200.215 192.168.200.250;

                ignore unknown-clients;
  <bunch of options removed>
        } #subnet 192.168.200.0

        subnet 10.111.111.0 netmask 255.255.255.0 {
                range 10.111.111.5 10.111.111.200;
                allow unknown-clients;
<bunch of options removed>
        } #subnet 10.111.111.0
} #shared-network

It runs, but only gives out 192 addresses. If I reverse the order, so the
10 subnet declaration comes first, then it hands out 10 addresses, but not
192 addresses.

Any ideas what I am doing wrong?

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with shared-network

Bob Harold

On Thu, Jun 4, 2015 at 12:16 PM, <[hidden email]> wrote:
I have a Debian 7.0 running isc-dhcp-server 4.2.2.

My server has a single NIC, and using iproute, I've added additional
addresses (some lines snipped for brevity):

eth0      Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
          inet addr:192.168.220.111  Bcast:192.168.220.255
Mask:255.255.255.0

eth0:1    Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
          inet addr:10.111.111.1  Bcast:10.255.255.255  Mask:255.255.255.0

My goal is for the dhcp server to hand out unknown clients addresses from
the 10.111.111.X pool, and known client to get something from the
192.168.220.X pool. Since these are on the same subnet, I [believe] this
requires a shared-network block. My dhcpd.conf file looks like (with
comments and global options stripped out for brevity):

shared-network my-net {
        subnet 192.168.200.0 netmask 255.255.255.0 {
                range 192.168.200.194 192.168.200.200;
                range 192.168.200.215 192.168.200.250;

                ignore unknown-clients;
  <bunch of options removed>
        } #subnet 192.168.200.0

        subnet 10.111.111.0 netmask 255.255.255.0 {
                range 10.111.111.5 10.111.111.200;
                allow unknown-clients;
<bunch of options removed>
        } #subnet 10.111.111.0
} #shared-network

It runs, but only gives out 192 addresses. If I reverse the order, so the
10 subnet declaration comes first, then it hands out 10 addresses, but not
192 addresses.

Any ideas what I am doing wrong?


From the man page (you probably already know this):
      " The unknown-clients flag is used to tell dhcpd whether or not to dynamically  assign  addresses  to
       unknown  clients.  Dynamic address assignment to unknown clients is allowed by default.  An unknown
       client is simply a client that has no host declaration.

       The use of this option is now deprecated.  If you are trying to restrict access on your network  to
       known clients, you should use deny unknown-clients; inside of your address pool, as described under
       the heading ALLOW AND DENY WITHIN POOL DECLARATIONS."

---- But let me suggest trying:

        subnet 192.168.200.0 netmask 255.255.255.0 {
                deny unknown-clients;
...
        subnet 10.111.111.0 netmask 255.255.255.0 {
                deny known-clients;

--- What might work even better is to use a "class" to list which clients are allowed, instead of 'host' declarations.

-- 
Bob Harold 


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

RE: Problem with shared-network

Patrick Trapp
In reply to this post by robert
I'm not an expert, but I have something like this and did a little digging. Documentation seems to indicate the allow/deny you are trying is a pool-level declaration, and that's where I'm using them successfully. You don't appear to have a pool defined unless it's part of what you snipped.

Oh, and they use allow/deny rather than allow/ignore, which may be pertinent. I certainly don't know all the options that work or don't.

Is it possible that what you want is something like

shared-network my-net {
        subnet 192.168.200.0 netmask 255.255.255.0 {
                pool {
                        deny unknown-clients;
                        range 192.168.200.194 192.168.200.200;
                } # pool declaration
        subnet #second subnet
                 pool { #second pool declaration }

________________________________________
From: [hidden email] [[hidden email]] on behalf of [hidden email] [[hidden email]]
Sent: Thursday, June 04, 2015 11:16 AM
To: [hidden email]
Subject: Problem with shared-network

I have a Debian 7.0 running isc-dhcp-server 4.2.2.

My server has a single NIC, and using iproute, I've added additional
addresses (some lines snipped for brevity):

eth0      Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
          inet addr:192.168.220.111  Bcast:192.168.220.255
Mask:255.255.255.0

eth0:1    Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
          inet addr:10.111.111.1  Bcast:10.255.255.255  Mask:255.255.255.0

My goal is for the dhcp server to hand out unknown clients addresses from
the 10.111.111.X pool, and known client to get something from the
192.168.220.X pool. Since these are on the same subnet, I [believe] this
requires a shared-network block. My dhcpd.conf file looks like (with
comments and global options stripped out for brevity):

shared-network my-net {
        subnet 192.168.200.0 netmask 255.255.255.0 {
                range 192.168.200.194 192.168.200.200;
                range 192.168.200.215 192.168.200.250;

                ignore unknown-clients;
  <bunch of options removed>
        } #subnet 192.168.200.0

        subnet 10.111.111.0 netmask 255.255.255.0 {
                range 10.111.111.5 10.111.111.200;
                allow unknown-clients;
<bunch of options removed>
        } #subnet 10.111.111.0
} #shared-network

It runs, but only gives out 192 addresses. If I reverse the order, so the
10 subnet declaration comes first, then it hands out 10 addresses, but not
192 addresses.

Any ideas what I am doing wrong?

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with shared-network

Sten Carlsen
Based on my experience with a similar setup, it should be sufficient to change the ignore to deny.

Be aware that both eth0 and eth0:1 are part of the same shared subnet, so known or unknown does not correspond to being on eth0 or eth0:1.

Be aware that when using classes, a match for a class xxx does not make the host known, only a host statement will have that effect. It means that you will have to deny members of class xxx in the pool for unknown hosts to avoid them getting an IP from that pool.

On 04/06/15 18:35, Patrick Trapp wrote:
I'm not an expert, but I have something like this and did a little digging. Documentation seems to indicate the allow/deny you are trying is a pool-level declaration, and that's where I'm using them successfully. You don't appear to have a pool defined unless it's part of what you snipped.

Oh, and they use allow/deny rather than allow/ignore, which may be pertinent. I certainly don't know all the options that work or don't.

Is it possible that what you want is something like

shared-network my-net {
        subnet 192.168.200.0 netmask 255.255.255.0 {
                pool {
                        deny unknown-clients;
                        range 192.168.200.194 192.168.200.200;
                } # pool declaration
        subnet #second subnet
                 pool { #second pool declaration }

________________________________________
From: [hidden email] [[hidden email]] on behalf of [hidden email] [[hidden email]]
Sent: Thursday, June 04, 2015 11:16 AM
To: [hidden email]
Subject: Problem with shared-network

I have a Debian 7.0 running isc-dhcp-server 4.2.2.

My server has a single NIC, and using iproute, I've added additional
addresses (some lines snipped for brevity):

eth0      Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
          inet addr:192.168.220.111  Bcast:192.168.220.255
Mask:255.255.255.0

eth0:1    Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
          inet addr:10.111.111.1  Bcast:10.255.255.255  Mask:255.255.255.0

My goal is for the dhcp server to hand out unknown clients addresses from
the 10.111.111.X pool, and known client to get something from the
192.168.220.X pool. Since these are on the same subnet, I [believe] this
requires a shared-network block. My dhcpd.conf file looks like (with
comments and global options stripped out for brevity):

shared-network my-net {
        subnet 192.168.200.0 netmask 255.255.255.0 {
                range 192.168.200.194 192.168.200.200;
                range 192.168.200.215 192.168.200.250;

                ignore unknown-clients;
  <bunch of options removed>
        } #subnet 192.168.200.0

        subnet 10.111.111.0 netmask 255.255.255.0 {
                range 10.111.111.5 10.111.111.200;
                allow unknown-clients;
<bunch of options removed>
        } #subnet 10.111.111.0
} #shared-network

It runs, but only gives out 192 addresses. If I reverse the order, so the
10 subnet declaration comes first, then it hands out 10 addresses, but not
192 addresses.

Any ideas what I am doing wrong?

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!" 

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

RE: Problem with shared-network

robert
In reply to this post by Patrick Trapp
<aside>I use ignore rather than deny to keep my logs cleaner. Deny logs
every attempt. The ignore just ignores. And yes, I realize mac filtering
can be easily defeated by a knowledgeable opponent. A weak attempt at
security is not my purpose for using mac lists.</aside>

I did not have pools. Now I do. Unfortunately, I still get the same
behavior. Just for kicks, I reversed the order of the subnets, and to my
surprise, still got the same behavior, except now the 192 subnet still
works. So the pools helped. This makes me believe the problem is the 10
subnet declaration.

I removed the 192 subnet and the shared-network and just left the 10
subnet. When I attempted to restart the DHCP server, I got the no subnet
declaration for eth0 and it exited. Adding eth0:1 to both the command line
and /etc/defaults/isc-dhcp-server did not change the result, only the
error message: "No subnet declaration for eth0:1 (No IPv4 addresses)"

So despite the shared-network statement, the DHCP server still doesn't
recognize virtual interfaces??? Can this be right?

> I'm not an expert, but I have something like this and did a little
> digging. Documentation seems to indicate the allow/deny you are trying is
> a pool-level declaration, and that's where I'm using them successfully.
> You don't appear to have a pool defined unless it's part of what you
> snipped.
>
> Oh, and they use allow/deny rather than allow/ignore, which may be
> pertinent. I certainly don't know all the options that work or don't.
>
> Is it possible that what you want is something like
>
> shared-network my-net {
>         subnet 192.168.200.0 netmask 255.255.255.0 {
>                 pool {
>                         deny unknown-clients;
>                         range 192.168.200.194 192.168.200.200;
>                 } # pool declaration
>         subnet #second subnet
>                  pool { #second pool declaration }
>
> ________________________________________
> From: [hidden email] [[hidden email]]
> on behalf of [hidden email] [[hidden email]]
> Sent: Thursday, June 04, 2015 11:16 AM
> To: [hidden email]
> Subject: Problem with shared-network
>
> I have a Debian 7.0 running isc-dhcp-server 4.2.2.
>
> My server has a single NIC, and using iproute, I've added additional
> addresses (some lines snipped for brevity):
>
> eth0      Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
>           inet addr:192.168.220.111  Bcast:192.168.220.255
> Mask:255.255.255.0
>
> eth0:1    Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
>           inet addr:10.111.111.1  Bcast:10.255.255.255  Mask:255.255.255.0
>
> My goal is for the dhcp server to hand out unknown clients addresses from
> the 10.111.111.X pool, and known client to get something from the
> 192.168.220.X pool. Since these are on the same subnet, I [believe] this
> requires a shared-network block. My dhcpd.conf file looks like (with
> comments and global options stripped out for brevity):
>
> shared-network my-net {
>         subnet 192.168.200.0 netmask 255.255.255.0 {
>                 range 192.168.200.194 192.168.200.200;
>                 range 192.168.200.215 192.168.200.250;
>
>                 ignore unknown-clients;
>   <bunch of options removed>
>         } #subnet 192.168.200.0
>
>         subnet 10.111.111.0 netmask 255.255.255.0 {
>                 range 10.111.111.5 10.111.111.200;
>                 allow unknown-clients;
> <bunch of options removed>
>         } #subnet 10.111.111.0
> } #shared-network
>
> It runs, but only gives out 192 addresses. If I reverse the order, so the
> 10 subnet declaration comes first, then it hands out 10 addresses, but not
> 192 addresses.
>
> Any ideas what I am doing wrong?
>
> _______________________________________________
> dhcp-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/dhcp-users
> _______________________________________________
> dhcp-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/dhcp-users
>


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with shared-network

Simon Hobson
In reply to this post by robert

On 4 Jun 2015, at 17:16, [hidden email] wrote:

> I have a Debian 7.0 running isc-dhcp-server 4.2.2.
>
> My server has a single NIC, and using iproute, I've added additional
> addresses (some lines snipped for brevity):
>
> eth0      Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
>          inet addr:192.168.220.111  Bcast:192.168.220.255
> Mask:255.255.255.0
>
> eth0:1    Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
>          inet addr:10.111.111.1  Bcast:10.255.255.255  Mask:255.255.255.0

Try ditching the alias interface and just add the address to the main interface, so you'd end up with :
eth0      Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
         inet addr:192.168.220.111  Bcast:192.168.220.255 Mask:255.255.255.0
         inet addr:10.111.111.1  Bcast:10.255.255.255  Mask:255.255.255.0

That can be done with "ip addr add 10.111.111.1/24 dev eth0", and it can be automated by putting it in /etc/network/interfaces as a post-up line :
  post-ip ip addr add 10.111.111.1/24 dev eth0

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with shared-network

Bob Harold
In reply to this post by robert

On Thu, Jun 4, 2015 at 1:38 PM, <[hidden email]> wrote:
<aside>I use ignore rather than deny to keep my logs cleaner. Deny logs
every attempt. The ignore just ignores. And yes, I realize mac filtering
can be easily defeated by a knowledgeable opponent. A weak attempt at
security is not my purpose for using mac lists.</aside>

I did not have pools. Now I do. Unfortunately, I still get the same
behavior. Just for kicks, I reversed the order of the subnets, and to my
surprise, still got the same behavior, except now the 192 subnet still
works. So the pools helped. This makes me believe the problem is the 10
subnet declaration.

I removed the 192 subnet and the shared-network and just left the 10
subnet. When I attempted to restart the DHCP server, I got the no subnet
declaration for eth0 and it exited. Adding eth0:1 to both the command line
and /etc/defaults/isc-dhcp-server did not change the result, only the
error message: "No subnet declaration for eth0:1 (No IPv4 addresses)"

DHCP needs the 192 subnet to be defined.  It does not need to have a range, or any options, it can be an empty definition, but if it is not defined, it will ignore that interface.

 
So despite the shared-network statement, the DHCP server still doesn't
recognize virtual interfaces??? Can this be right?


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

RE: Problem with shared-network

Michael Morrow
In reply to this post by robert
I think the key thing you are missing is pool declarations based off of Bob Harold's comment earlier:

"... you should use deny unknown-clients; inside of your address pool, as described under
       the heading ALLOW AND DENY WITHIN POOL DECLARATIONS."


shared-network my-net {
        subnet 192.168.200.0 netmask 255.255.255.0 {
                pool {
                range 192.168.200.194 192.168.200.200;
                range 192.168.200.215 192.168.200.250;
                ignore unknown-clients;
                }
                <bunch of options removed>
        } #subnet 192.168.200.0

        subnet 10.111.111.0 netmask 255.255.255.0 {
                pool {
                range 10.111.111.5 10.111.111.200;
                allow unknown-clients;
                }
                <bunch of options removed>
        } #subnet 10.111.111.0
} #shared-network

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Thursday, June 04, 2015 11:17 AM
To: [hidden email]
Subject: Problem with shared-network

I have a Debian 7.0 running isc-dhcp-server 4.2.2.

My server has a single NIC, and using iproute, I've added additional
addresses (some lines snipped for brevity):

eth0      Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
          inet addr:192.168.220.111  Bcast:192.168.220.255
Mask:255.255.255.0

eth0:1    Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
          inet addr:10.111.111.1  Bcast:10.255.255.255  Mask:255.255.255.0

My goal is for the dhcp server to hand out unknown clients addresses from
the 10.111.111.X pool, and known client to get something from the
192.168.220.X pool. Since these are on the same subnet, I [believe] this
requires a shared-network block. My dhcpd.conf file looks like (with
comments and global options stripped out for brevity):

shared-network my-net {
        subnet 192.168.200.0 netmask 255.255.255.0 {
                range 192.168.200.194 192.168.200.200;
                range 192.168.200.215 192.168.200.250;

                ignore unknown-clients;
  <bunch of options removed>
        } #subnet 192.168.200.0

        subnet 10.111.111.0 netmask 255.255.255.0 {
                range 10.111.111.5 10.111.111.200;
                allow unknown-clients;
<bunch of options removed>
        } #subnet 10.111.111.0
} #shared-network

It runs, but only gives out 192 addresses. If I reverse the order, so the
10 subnet declaration comes first, then it hands out 10 addresses, but not
192 addresses.

Any ideas what I am doing wrong?

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

This email and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this email in error destroy it immediately. *** Walmart Confidential ***
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

RE: Problem with shared-network

glenn.satchell
In reply to this post by robert
In addition to the subnet and pool declarations you also need "host"
statements for each of the clients you want to be "known". A client
matches the "deny unknown-clients" if it has a host statement, otherwise
it matches "allow unknown-clients".

host "known1" { hardware ethernet aa:bb:cc:dd:ee:ff; }

shared-network my-net {
        subnet 192.168.200.0 netmask 255.255.255.0 {
                pool {
                        deny unknown-clients;
                        range 192.168.200.194 192.168.200.200;
                } # pool declaration
         subnet 10.111.111.0 netmask 255.255.255.0 {
                 pool {
                        allow unknown-clients;
                        range 10.111.111.5 10.111.111.200;                 }
        }
}

regards,
-glenn


On Fri, June 5, 2015 3:38 am, [hidden email] wrote:

> <aside>I use ignore rather than deny to keep my logs cleaner. Deny logs
> every attempt. The ignore just ignores. And yes, I realize mac filtering
> can be easily defeated by a knowledgeable opponent. A weak attempt at
> security is not my purpose for using mac lists.</aside>
>
> I did not have pools. Now I do. Unfortunately, I still get the same
> behavior. Just for kicks, I reversed the order of the subnets, and to my
> surprise, still got the same behavior, except now the 192 subnet still
> works. So the pools helped. This makes me believe the problem is the 10
> subnet declaration.
>
> I removed the 192 subnet and the shared-network and just left the 10
> subnet. When I attempted to restart the DHCP server, I got the no subnet
> declaration for eth0 and it exited. Adding eth0:1 to both the command line
> and /etc/defaults/isc-dhcp-server did not change the result, only the
> error message: "No subnet declaration for eth0:1 (No IPv4 addresses)"
>
> So despite the shared-network statement, the DHCP server still doesn't
> recognize virtual interfaces??? Can this be right?
>
>> I'm not an expert, but I have something like this and did a little
>> digging. Documentation seems to indicate the allow/deny you are trying
>> is
>> a pool-level declaration, and that's where I'm using them successfully.
>> You don't appear to have a pool defined unless it's part of what you
>> snipped.
>>
>> Oh, and they use allow/deny rather than allow/ignore, which may be
>> pertinent. I certainly don't know all the options that work or don't.
>>
>> Is it possible that what you want is something like
>>
>> shared-network my-net {
>>         subnet 192.168.200.0 netmask 255.255.255.0 {
>>                 pool {
>>                         deny unknown-clients;
>>                         range 192.168.200.194 192.168.200.200;
>>                 } # pool declaration
>>         subnet #second subnet
>>                  pool { #second pool declaration }
>>
>> ________________________________________
>> From: [hidden email]
>> [[hidden email]]
>> on behalf of [hidden email]
>> [[hidden email]]
>> Sent: Thursday, June 04, 2015 11:16 AM
>> To: [hidden email]
>> Subject: Problem with shared-network
>>
>> I have a Debian 7.0 running isc-dhcp-server 4.2.2.
>>
>> My server has a single NIC, and using iproute, I've added additional
>> addresses (some lines snipped for brevity):
>>
>> eth0      Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
>>           inet addr:192.168.220.111  Bcast:192.168.220.255
>> Mask:255.255.255.0
>>
>> eth0:1    Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
>>           inet addr:10.111.111.1  Bcast:10.255.255.255
>> Mask:255.255.255.0
>>
>> My goal is for the dhcp server to hand out unknown clients addresses
>> from
>> the 10.111.111.X pool, and known client to get something from the
>> 192.168.220.X pool. Since these are on the same subnet, I [believe] this
>> requires a shared-network block. My dhcpd.conf file looks like (with
>> comments and global options stripped out for brevity):
>>
>> shared-network my-net {
>>         subnet 192.168.200.0 netmask 255.255.255.0 {
>>                 range 192.168.200.194 192.168.200.200;
>>                 range 192.168.200.215 192.168.200.250;
>>
>>                 ignore unknown-clients;subnet 10.111.111.0 netmask
255.255.255.0 {
>>                 range 10.111.111.5 10.111.111.200;

>>   <bunch of options removed>
>>         } #subnet 192.168.200.0
>>
>>         subnet 10.111.111.0 netmask 255.255.255.0 {
>>                 range 10.111.111.5 10.111.111.200;
>>                 allow unknown-clients;
>> <bunch of options removed>
>>         } #subnet 10.111.111.0
>> } #shared-network
>>
>> It runs, but only gives out 192 addresses. If I reverse the order, so
>> the
>> 10 subnet declaration comes first, then it hands out 10 addresses, but
>> not
>> 192 addresses.
>>
>> Any ideas what I am doing wrong?
>>


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

RE: Problem with shared-network

robert
I did later, per some suggestions, add pool declarations. The ignore
unknown-clients does work.

> In addition to the subnet and pool declarations you also need "host"
> statements for each of the clients you want to be "known". A client
> matches the "deny unknown-clients" if it has a host statement, otherwise
> it matches "allow unknown-clients".
>
> host "known1" { hardware ethernet aa:bb:cc:dd:ee:ff; }
>
> shared-network my-net {
>         subnet 192.168.200.0 netmask 255.255.255.0 {
>                 pool {
>                         deny unknown-clients;
>                         range 192.168.200.194 192.168.200.200;
>                 } # pool declaration
>          subnet 10.111.111.0 netmask 255.255.255.0 {
>                  pool {
>                         allow unknown-clients;
>                         range 10.111.111.5 10.111.111.200;
> }
>         }
> }
>
> regards,
> -glenn
>
>
> On Fri, June 5, 2015 3:38 am, [hidden email] wrote:
>> <aside>I use ignore rather than deny to keep my logs cleaner. Deny logs
>> every attempt. The ignore just ignores. And yes, I realize mac filtering
>> can be easily defeated by a knowledgeable opponent. A weak attempt at
>> security is not my purpose for using mac lists.</aside>
>>
>> I did not have pools. Now I do. Unfortunately, I still get the same
>> behavior. Just for kicks, I reversed the order of the subnets, and to my
>> surprise, still got the same behavior, except now the 192 subnet still
>> works. So the pools helped. This makes me believe the problem is the 10
>> subnet declaration.
>>
>> I removed the 192 subnet and the shared-network and just left the 10
>> subnet. When I attempted to restart the DHCP server, I got the no subnet
>> declaration for eth0 and it exited. Adding eth0:1 to both the command
>> line
>> and /etc/defaults/isc-dhcp-server did not change the result, only the
>> error message: "No subnet declaration for eth0:1 (No IPv4 addresses)"
>>
>> So despite the shared-network statement, the DHCP server still doesn't
>> recognize virtual interfaces??? Can this be right?
>>
>>> I'm not an expert, but I have something like this and did a little
>>> digging. Documentation seems to indicate the allow/deny you are trying
>>> is
>>> a pool-level declaration, and that's where I'm using them successfully.
>>> You don't appear to have a pool defined unless it's part of what you
>>> snipped.
>>>
>>> Oh, and they use allow/deny rather than allow/ignore, which may be
>>> pertinent. I certainly don't know all the options that work or don't.
>>>
>>> Is it possible that what you want is something like
>>>
>>> shared-network my-net {
>>>         subnet 192.168.200.0 netmask 255.255.255.0 {
>>>                 pool {
>>>                         deny unknown-clients;
>>>                         range 192.168.200.194 192.168.200.200;
>>>                 } # pool declaration
>>>         subnet #second subnet
>>>                  pool { #second pool declaration }
>>>
>>> ________________________________________
>>> From: [hidden email]
>>> [[hidden email]]
>>> on behalf of [hidden email]
>>> [[hidden email]]
>>> Sent: Thursday, June 04, 2015 11:16 AM
>>> To: [hidden email]
>>> Subject: Problem with shared-network
>>>
>>> I have a Debian 7.0 running isc-dhcp-server 4.2.2.
>>>
>>> My server has a single NIC, and using iproute, I've added additional
>>> addresses (some lines snipped for brevity):
>>>
>>> eth0      Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
>>>           inet addr:192.168.220.111  Bcast:192.168.220.255
>>> Mask:255.255.255.0
>>>
>>> eth0:1    Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
>>>           inet addr:10.111.111.1  Bcast:10.255.255.255
>>> Mask:255.255.255.0
>>>
>>> My goal is for the dhcp server to hand out unknown clients addresses
>>> from
>>> the 10.111.111.X pool, and known client to get something from the
>>> 192.168.220.X pool. Since these are on the same subnet, I [believe]
>>> this
>>> requires a shared-network block. My dhcpd.conf file looks like (with
>>> comments and global options stripped out for brevity):
>>>
>>> shared-network my-net {
>>>         subnet 192.168.200.0 netmask 255.255.255.0 {
>>>                 range 192.168.200.194 192.168.200.200;
>>>                 range 192.168.200.215 192.168.200.250;
>>>
>>>                 ignore unknown-clients;subnet 10.111.111.0 netmask
> 255.255.255.0 {
>>>                 range 10.111.111.5 10.111.111.200;
>
>>>   <bunch of options removed>
>>>         } #subnet 192.168.200.0
>>>
>>>         subnet 10.111.111.0 netmask 255.255.255.0 {
>>>                 range 10.111.111.5 10.111.111.200;
>>>                 allow unknown-clients;
>>> <bunch of options removed>
>>>         } #subnet 10.111.111.0
>>> } #shared-network
>>>
>>> It runs, but only gives out 192 addresses. If I reverse the order, so
>>> the
>>> 10 subnet declaration comes first, then it hands out 10 addresses, but
>>> not
>>> 192 addresses.
>>>
>>> Any ideas what I am doing wrong?
>>>
>
>
> _______________________________________________
> dhcp-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/dhcp-users
>


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with shared-network

robert
In reply to this post by Simon Hobson
>
> On 4 Jun 2015, at 17:16, [hidden email] wrote:
>
>> I have a Debian 7.0 running isc-dhcp-server 4.2.2.
>>
>> My server has a single NIC, and using iproute, I've added additional
>> addresses (some lines snipped for brevity):
>>
>> eth0      Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
>>          inet addr:192.168.220.111  Bcast:192.168.220.255
>> Mask:255.255.255.0
>>
>> eth0:1    Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
>>          inet addr:10.111.111.1  Bcast:10.255.255.255
>> Mask:255.255.255.0
>
> Try ditching the alias interface and just add the address to the main
> interface, so you'd end up with :
> eth0      Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
>          inet addr:192.168.220.111  Bcast:192.168.220.255
> Mask:255.255.255.0
>          inet addr:10.111.111.1  Bcast:10.255.255.255  Mask:255.255.255.0
>
> That can be done with "ip addr add 10.111.111.1/24 dev eth0", and it can
> be automated by putting it in /etc/network/interfaces as a post-up line :
>   post-ip ip addr add 10.111.111.1/24 dev eth0

Sadly, I thought of the too after I sent my first message. No change. Here
is my current "ip addr show" for eth0:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
    link/ether 00:50:56:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 192.168.200.111/24 brd 192.168.200.255 scope global eth0
    inet 172.35.24.54/22 brd 172.35.27.255 scope global eth0:2
    inet 10.111.111.1/24 brd 10.111.111.255 scope global eth0
    inet 192.168.200.54/24 scope global secondary eth0:0
    inet6 fd00:200:0:1::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe8f:XXXX/64 scope link
       valid_lft forever preferred_lft forever

Interestingly, ifconfig does NOT show 10.111.111.1. (It is there and
working, I can ping that address.) I wonder if the ISC DHCP server does
not recognize addresses added by iproute2?

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with shared-network

robert
In reply to this post by Bob Harold
> On Thu, Jun 4, 2015 at 1:38 PM, <[hidden email]> wrote:
>
>> <aside>I use ignore rather than deny to keep my logs cleaner. Deny logs
>> every attempt. The ignore just ignores. And yes, I realize mac filtering
>> can be easily defeated by a knowledgeable opponent. A weak attempt at
>> security is not my purpose for using mac lists.</aside>
>>
>> I did not have pools. Now I do. Unfortunately, I still get the same
>> behavior. Just for kicks, I reversed the order of the subnets, and to my
>> surprise, still got the same behavior, except now the 192 subnet still
>> works. So the pools helped. This makes me believe the problem is the 10
>> subnet declaration.
>>
>> I removed the 192 subnet and the shared-network and just left the 10
>> subnet. When I attempted to restart the DHCP server, I got the no subnet
>> declaration for eth0 and it exited. Adding eth0:1 to both the command
>> line
>> and /etc/defaults/isc-dhcp-server did not change the result, only the
>> error message: "No subnet declaration for eth0:1 (No IPv4 addresses)"
>>
>> DHCP needs the 192 subnet to be defined.  It does not need to have a
> range, or any options, it can be an empty definition, but if it is not
> defined, it will ignore that interface.

<snip>

I agree that is the reason for the first error message (the eth0). But on
the second (before I removed the eth0:1 label), I specifically told the
server which interface (eth0:1, and not eth0), and it DOES have an IPv4
address. At the time (now changed), ONLY 10.111.111.1 was on eth0:1.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with shared-network

Niall O'Reilly
In reply to this post by robert
On Thu, 04 Jun 2015 18:38:42 +0100,
[hidden email] wrote:
>
> So despite the shared-network statement, the DHCP server still doesn't
> recognize virtual interfaces??? Can this be right?

  Absolutely.

  The "shared-network" statement allows you to lease an IP address to a
  client on that network from one or other of the prefixes declared in
  the enclosed "subnet" statements, according to whatever rules you
  configure.  It doesn't specify anything about the IP addresses (or
  corresponding prefixes) used on the server interface(s).


  Best regards,
  Niall O'Reilly
 
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with shared-network

Niall O'Reilly
In reply to this post by Bob Harold
On Thu, 04 Jun 2015 17:33:09 +0100,
Bob Harold wrote:
>
> ---- But let me suggest trying:
>
> subnet 192.168.200.0 netmask 255.255.255.0 {
> deny unknown-clients;
> ...
> subnet 10.111.111.0 netmask 255.255.255.0 {
> deny known-clients;

  I've found it necessary to use this approach at some stage, and
  stayed with it (because it worked!). That's to say, using the "deny"
  action in each subnet (or pool within subnet) with complementary
  criteria, rather than complementary actions (deny/allow) with
  identical criteria.

  Subsequent careful reading of the man page for dhcpd.conf led me
  to suspect that this approach may no longer be necessary, but I
  wasn't minded to change a system that worked.


  Best regards,
  Niall O'Reilly
 
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with shared-network

Simon Hobson
In reply to this post by robert
[hidden email] wrote:
> I specifically told the
> server which interface (eth0:1, and not eth0), and it DOES have an IPv4
> address.

That doesn't work - dhcpd cannot use a virtual interface like that, nor can it ignore traffic on any of the interfaces defined on a physical port.

Reason ? These operate at the IP layer, while dhcpd operates at the packet layer for some of it's operations - though there are ways round that if you can work with certain limitations.
Simple example - client broadcasts a DHCP Discover packet. The client doesn't have an IP address, the packet has neither source nor destination address (I think they are all zeros, or is it all ones ?). When that packet arrives on the physical interface, there is absolutely nothing to differentiate whether it was intended for eth0, or eth0:1, or eth0:2, or ...
The server also needs to be able to transmit packets without a source address - these cannot go via the IP stack so also ned to be handled directly.

So dhcpd cannot bind to a virtual interface, it can only bind to the main interface and it cannot not service a virtual interface.

The exception is if you compile without the option to use raw sockets. Then you can operate at the IP level, but you cannot handle locally attached clients - only clients utilising a relay agent. I suspect even if you do this, there's probably still the code in there that (should) throw a warning if you try and listen on a virtual interface.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users