per-pool routers in dhcpd.conf?

Hi, I have dhcpd.conf at home containing:

        host { ... }
        ...
       
        subnet 192.168.1.0 netmask 255.255.255.0 {
            option routers 192.168.1.1;
            option domain-name "pasta.net";
            option domain-name-servers 192.168.1.21;
            option ntp-servers time.pasta.net;
       
            #  1-100 are reserved for statically configured hosts.

            #  101-150 are reserved for known dynamic hosts (known because they're in host stanzas above).
            #  e.g. my Android phone on wifi.
            pool {
                range 192.168.1.101 192.168.1.150;
                allow known-clients;
                deny unknown-clients;
            }
       
            #  151-200 are for unknown dynamic hosts. e.g. visitors' phones on wifi.
            pool {
                range 192.168.1.151 192.168.1.200;
                allow unknown-clients;
                deny known-clients;
            }
        }

This works fine.

I now want to force 'known dynamic hosts'' to use a different gateway.

(In case you're curious: Since, when using wifi, my Android
phone silently refuses to use the DNS server proposed by the above
dhcpd.conf, I now want to change the phone's gateway to a masqueraing
Linux box, where I can hopefully use iptables to force the phone to
use the DNS server proposed by the DHCP server, and thereby block ads.)

The dhcpd.conf man page says:

        In general, any parameter can appear anywhere that parameters
        are allowed, and will be applied according to the scope in which
        the parameter appears.

and I don't see anything special documented about 'option routers'.

So I thought this should work:

        subnet 192.168.1.0 netmask 255.255.255.0 {
            #option routers 192.168.1.1;               <--- commented out at subnet level
            ...

            pool {
                range 192.168.1.101 192.168.1.150;
                ...
                option routers 192.168.1.32;           <--- this is the different gateway
            }

            pool {
                range 192.168.1.151 192.168.1.200;
                ...
                option routers 192.168.1.1;            <--- this is the original gateway
            }

but it looks like *no* host gets told its gateway.

To confirm that it wasn't a problem with my new gateway itself, I
put the original gateway in *both* pools, i.e. only the *location* of
the router declaration changes compared to the original configuration:

        subnet 192.168.1.0 netmask 255.255.255.0 {
            #option routers 192.168.1.1;               <--- commented out at subnet level
            ...

            pool {
                range 192.168.1.101 192.168.1.150;
                ...
                option routers 192.168.1.1;            <--- this is the original gateway
            }

            pool {
                range 192.168.1.151 192.168.1.200;
                ...
                option routers 192.168.1.1;            <--- this is the original gateway
            }

The result was the same: no gateway.

My googles didn't turn up anything relevant and my experiments (using
'groups' failed), so any advice would be appreciated. I'm using
isc-dhcp-server 4.4.1 on Debian 10. Thanks!

Alexis
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

For what it's worth, my setup uses 2 pools in the same network where one pool has a gateway and the other pool has no gateway. These are separated by class and subclass statements. I have another pool for unknown clients, they get a different network and no gateway (can't talk to any other host and no access to internet).
This setup works fine.

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Hi Sten,

> For what it's worth, my setup uses 2 pools in the same network where one pool has a gateway and the other pool has no gateway. These are separated by class and subclass statements. I have another pool for unknown clients, they get a different network and no gateway (can't talk to any other host and no access to internet).

please could you post some of it showing the subnet/pools/class/subclass
structure please? Thanks!

Alexis
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

> On 25 Jul 2020, at 16.45, Alexis Huxley <[hidden email]> wrote:
>
> Hi Sten,
>
>> For what it's worth, my setup uses 2 pools in the same network where one pool has a gateway and the other pool has no gateway. These are separated by class and subclass statements. I have another pool for unknown clients, they get a different network and no gateway (can't talk to any other host and no access to internet).
>
> please could you post some of it showing the subnet/pools/class/subclass
> structure please? Thanks!
This should be the main parts.

dhcpd.conf:
~~~~~~~~~~~~

# class definitions
class "gateway-0" {
         match hardware;
        }


class "gateway-5" {
         match hardware;
        }

# Subnet Declarations
shared-network hjemme{
        authoritative;

        subnet 192.168.16.0 netmask 255.255.255.0{
                option domain-name "s-carlsen.dk";
                option domain-name-servers 192.168.16.20;
                option domain-name-servers ns2.s-carlsen.dk;
                option subnet-mask 255.255.255.0;
                # B-NODE: Broadcast - no WINS
                option netbios-node-type 1;
                pool{
                        # NO router - these must not touch the internet
                        allow members of "gateway-0";
                        range 192.168.16.160 192.168.16.195;
                }
                pool{
                        # these go to the FIBER link
                        option routers 192.168.16.5;
                        allow members of "gateway-5";
                        range 192.168.16.50 192.168.16.150;
                }
        }

        subnet 192.168.161.0  netmask 255.255.255.0{
                max-lease-time 300;
                default-lease-time 150;
                pool{
                        # These are not known (yet) and shall not see any other host
                        deny known-clients;
                        deny members of "gateway-0";
                        deny members of "gateway-5";
                        range 192.168.161.100 192.168.161.150;
                }
        }

        subnet 192.168.122.0 netmask 255.255.255.0{
        # Not a real network, "virbr0"
        }
}


include "/etc/dhcp/subclass.conf";
~~~~~~~~~~~~

subclass.conf:
~~~~~~~~~~~~
subclass "gateway-0" 1:00:80:f0:8f:fd:27; # host argus3
subclass "gateway-0" 1:00:80:f0:a0:02:40; # host argus2
subclass "gateway-0" 1:28:10:7b:10:5c:a2 {ddns-hostname argus4;} # D-Link 932-L
subclass "gateway-0" 1:de:ad:be:ef:fe:ed {ddns-hostname ard;} # host Arduino #1
subclass "gateway-5" 1:00:11:32:05:BB:E9 {always-broadcast on;ddns-hostname ds-209;} # host ds-209
subclass "gateway-5" 1:00:16:cb:95:7a:7c; # host silver2
subclass "gateway-5" 1:00:17:f2:41:7c:ff; # host Silver2-wlan
subclass "gateway-5" 1:00:18:56:22:d6:93; # host eye-fi-01
subclass "gateway-5" 1:00:1b:63:05:99:1b; # host Sus-01
subclass "gateway-5" 1:00:1b:63:1d:1a:f4; # Host Sus
subclass "gateway-5" 1:00:1e:c2:14:ee:7b; # host LX9900261-cable
subclass "gateway-5" 1:00:1e:c2:a6:f5:35; # host LX9900261-wlan
subclass "gateway-5" 1:00:40:63:de:6b:cf; # host sorte-via
~~~~~~~~~~~~
>
> Alexis
> _______________________________________________
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
> dhcp-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/dhcp-users

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

option routers in the host statement works.  I've used it several times.
If there are many you may want to use a group:
group "IKnowEwe" {
    option routers 192.168.1.21;    # group
    host backup-pc        { hardware ethernet 00:24:99:33:b3:b3; }    # backup-pc
    host backup-pc2       { hardware ethernet 00:24:99:33:b3:b4; }    # backup-pc
.
.
}

You can use tcpdump on the DHCP server to see what options are asked for and
what options are sent:
tcpdump -vv -e -n -i eth0 portrange 67-68
Make sure the clients are asking for and receiving option 3.

My DNS runs on my gateway server and I force all devices to use my DNS with
iptables.  In the nat table:
REDIRECT   tcp  --  *      *       192.168.1.0/24        0.0.0.0/0       tcp dpt:53 /* domain inet */ redir ports 53
REDIRECT   udp  --  *      *       192.168.1.0/24        0.0.0.0/0       udp dpt:53 /* domain inet */ redir ports 53

Bill

Hi, I have dhcpd.conf at home containing:

	host { ... }
	...
	
	subnet 192.168.1.0 netmask 255.255.255.0 {
	    option routers 192.168.1.1;
	    option domain-name "pasta.net";
	    option domain-name-servers 192.168.1.21;
	    option ntp-servers time.pasta.net;
	
            #  1-100 are reserved for statically configured hosts.

	    #  101-150 are reserved for known dynamic hosts (known because they're in host stanzas above).
            #  e.g. my Android phone on wifi.
	    pool {
	        range 192.168.1.101 192.168.1.150;
	        allow known-clients;
	        deny unknown-clients;
	    }
	
	    #  151-200 are for unknown dynamic hosts. e.g. visitors' phones on wifi.
	    pool {
	        range 192.168.1.151 192.168.1.200;
	        allow unknown-clients;
	        deny known-clients;
	    }
	}

This works fine. 

I now want to force 'known dynamic hosts'' to use a different gateway. 

(In case you're curious: Since, when using wifi, my Android
phone silently refuses to use the DNS server proposed by the above
dhcpd.conf, I now want to change the phone's gateway to a masqueraing
Linux box, where I can hopefully use iptables to force the phone to
use the DNS server proposed by the DHCP server, and thereby block ads.)

The dhcpd.conf man page says:

	In general, any parameter can appear anywhere that parameters
	are allowed, and will be applied according to the scope in which
	the parameter appears.

and I don't see anything special documented about 'option routers'.

So I thought this should work:

        subnet 192.168.1.0 netmask 255.255.255.0 {
            #option routers 192.168.1.1;               <--- commented out at subnet level
	    ... 

            pool {
                range 192.168.1.101 192.168.1.150;
                ...
                option routers 192.168.1.32;           <--- this is the different gateway
            }

            pool {
                range 192.168.1.151 192.168.1.200;
                ...
                option routers 192.168.1.1;            <--- this is the original gateway
            }

but it looks like *no* host gets told its gateway. 

To confirm that it wasn't a problem with my new gateway itself, I
put the original gateway in *both* pools, i.e. only the *location* of
the router declaration changes compared to the original configuration:

        subnet 192.168.1.0 netmask 255.255.255.0 {
            #option routers 192.168.1.1;               <--- commented out at subnet level
	    ... 

            pool {
                range 192.168.1.101 192.168.1.150;
                ...
                option routers 192.168.1.1;            <--- this is the original gateway
            }

            pool {
                range 192.168.1.151 192.168.1.200;
                ...
                option routers 192.168.1.1;            <--- this is the original gateway
            }

The result was the same: no gateway.

My googles didn't turn up anything relevant and my experiments (using
'groups' failed), so any advice would be appreciated. I'm using 
isc-dhcp-server 4.4.1 on Debian 10. Thanks!

Alexis
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Hi Alexis

You don't strictly need allow and deny caluses, since when you use an
allow statement, everything else is implicity denied. There are also
notes about not mixing allow and deny, since the logic doesn't always
work the way you expect, even though the simpler case does seem to work.

          pool {
             range 192.168.1.101 192.168.1.150;
             allow known-clients;
             # deny unknown-clients;
         }

option routers *should* work in the pool, but config changes could use a
different code path and mess this up I guess.

As someone else suggested, looking at the actual packets with tcpdump
might be useful. Is it possible the client is caching the old gateway or
something strange like that?

I also use the same logic at home to separate the younger kids to
different IP ranges and proxy ACLs:

subnet 192.168.14.0 netmask 255.255.255.0 {
   option routers router.example.com.au;
   pool {
     allow known-clients;
     range 192.168.14.210 192.168.14.229;
   }
   pool {
     deny known-clients;
     range 192.168.14.230 192.168.14.245;
   }
}

regards,
-glenn

On 2020-07-26 00:23, Alexis Huxley wrote: _______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On 7/25/20 4:23 PM, Alexis Huxley wrote:
> I now want to force 'known dynamic hosts'' to use a different gateway.
>
> (In case you're curious: Since, when using wifi, my Android
> phone silently refuses to use the DNS server proposed by the above
> dhcpd.conf, I now want to change the phone's gateway to a masqueraing
> Linux box, where I can hopefully use iptables to force the phone to
> use the DNS server proposed by the DHCP server, and thereby block ads.)

I have a similar setup at home with host declarations and a set of DNS
servers being pushed to the devices. On all of my Android devices they
seem to be taking these settings normally. So it might be worth
double-checking the client devices before doing such masqueraded setup
(which could end up being overkill).

Off the top of my head, I can think of the Private DNS settings in newer
versions of Android overriding the DNS settings pushed by the DHCP
server, as well as any VPN connections. Perhaps one or both of these are
active and interfering?

I don't know if this is relevant, but in my dhcpd.conf I also have the
options for domain/search and DNS servers to use above the host settings.

--
Met vriendelijke groet / Best regards,
Michael De Roover
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

thanks very much everyone for the prompt and useful feedback! In the
end, I used Bill's suggestion to group hosts and set the router there,
as it was closest to what I already had it worked fine!  Thanks again!

Alexis
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users