option 249 for MS VPN clients
Ray Phillips
r.phillips at jkmrc.com
Tue Feb 13 06:08:59 UTC 2007
I'm running version 3.0.5 of the ISC's dhcp server (compiled from
source in a failover configuration) on NetBSD/i386 machines and would
like it to provide classless static routes to Windows XP machines
which are clients of a Windows 2003 Server VPN server.
I've entered this line in dhcpd.conf's global scope:
option classless-routes code 249 = array of unsigned integer 8;
and defined the actual routes:
option classless-routes 32, 0,0,0,0, 192,168,36,30,
16, 130,102, 192,168,36,30;
I created a class which matches the MAC address of the VPN server's
internal NIC and use it to restrict VPN clients to a particular pool.
I presume the static routes may be inserted in the scope of either
the class or the pool, e.g.:
class "VPN-Server-Client" {
match if substring (hardware, 1, 6) = 00:13:72:54:96:a2 and
substring (option dhcp-client-identifier, 1, 3) = "RAS";
option classless-routes 32, 0,0,0,0, 192,168,36,30,
16, 130,102, 192,168,36,30;
}
pool {
failover peer "foo";
deny dynamic bootp clients;
range 192.168.36.81 192.168.36.96;
allow members of "VPN-Server-Client";
ddns-updates off;
default-lease-time 43200; # minimum lease 12 hours
max-lease-time 43200; # maximum lease 12 hours
option classless-routes 32, 0,0,0,0, 192,168,36,30,
16, 130,102, 192,168,36,30;
}
but neither works. Although option 249 is on the client's parameter
request list it isn't supplied by the ISC server, as shown in the
following output, obtained from a shell on one of the dhcp servers.
# tcpdump -i ex0 -lenx -s 1500 port bootps or port bootpc | dhcpdump
tcpdump: listening on ex0
Old-style tcpdump output
TIME: 10:55:46.231810
IP: 192.168.36.87.67 (0:1:96:de:9b:e1) > (0:4:75:98:a:31)
OP: 1 (BOOTPREQUEST)
HTYPE: 8 (Hyperchannel)
HLEN: 6
HOPS: 1
XID: 543a2dba
SECS: 1536
FLAGS: 0
CIADDR: 192.168.36.82
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 192.168.36.87
CHADDR: 00:53:45:00:00:00:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION: 53 ( 1) DHCP message type 8 (DHCPINFORM)
OPTION: 61 ( 7) Client-identifier 08:00:53:45:00:00:00
OPTION: 12 ( 3) Host name dd3
OPTION: 60 ( 8) Vendor class identifier MSFT 5.0
OPTION: 55 ( 6) Parameter Request List 6 (DNS server)
44 (NetBIOS name server)
43 (Vendor specific info)
1 (Subnet mask)
249 (MSFT - Classless route)
15 (Domainname)
---------------------------------------------------------------------------
TIME: 10:55:46.258653
IP: 192.168.36.2.67 (0:4:75:98:a:31) > (0:13:72:54:96:a2)
OP: 2 (BOOTPREPLY)
HTYPE: 8 (Hyperchannel)
HLEN: 6
HOPS: 1
XID: 543a2dba
SECS: 1536
FLAGS: 0
CIADDR: 192.168.36.82
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 192.168.36.87
CHADDR: 00:53:45:00:00:00:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION: 53 ( 1) DHCP message type 5 (DHCPACK)
OPTION: 54 ( 4) Server identifier 130.102.20.3
OPTION: 6 ( 8) DNS server 192.168.36.1,130.102.128.53
OPTION: 44 ( 8) NetBIOS name server 192.168.36.37,192.168.36.15
OPTION: 1 ( 4) Subnet mask 255.255.254.0
OPTION: 15 ( 15) Domainname jkmrc.uq.edu.au
---------------------------------------------------------------------------
As an experiment, I tried putting the static routes in a host
statement for an unrelated Win XP machine to see what would happen:
host d {
hardware ethernet 00:16:76:d3:d8:0b;
option classless-routes 32, 0,0,0,0, 192,168,36,30,
16, 130,102, 192,168,36,30;
}
This did result in the static routes being supplied by the ISC server:
# tcpdump -i ex0 -lenx -s 1500 port bootps or port bootpc | dhcpdump
tcpdump: listening on ex0
Old-style tcpdump output
TIME: 12:59:15.146645
IP: 192.168.36.162.68 (0:1:96:de:9b:e1) > (0:4:75:98:a:31)
OP: 1 (BOOTPREQUEST)
HTYPE: 1 (Ethernet)
HLEN: 6
HOPS: 0
XID: 5e0a4a47
SECS: 0
FLAGS: 0
CIADDR: 192.168.36.162
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: 00:16:76:d3:d8:0b:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION: 53 ( 1) DHCP message type 3 (DHCPREQUEST)
OPTION: 61 ( 7) Client-identifier 01:00:16:76:d3:d8:0b
OPTION: 12 ( 3) Host name dd3
OPTION: 81 ( 22) Client FQDN 0-0-0 dd3.jkmrc.uq.edu.au
OPTION: 60 ( 8) Vendor class identifier MSFT 5.0
OPTION: 55 ( 11) Parameter Request List 1 (Subnet mask)
15 (Domainname)
3 (Routers)
6 (DNS server)
44 (NetBIOS name server)
46 (NetBIOS node type)
47 (NetBIOS scope)
31 (Perform router discovery)
33 (Static route)
249 (MSFT - Classless route)
43 (Vendor specific info)
---------------------------------------------------------------------------
TIME: 12:59:15.169222
IP: 192.168.36.2.67 (0:4:75:98:a:31) > (0:16:76:d3:d8:b)
OP: 2 (BOOTPREPLY)
HTYPE: 1 (Ethernet)
HLEN: 6
HOPS: 0
XID: 5e0a4a47
SECS: 0
FLAGS: 0
CIADDR: 192.168.36.162
YIADDR: 192.168.36.162
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: 00:16:76:d3:d8:0b:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION: 53 ( 1) DHCP message type 5 (DHCPACK)
OPTION: 54 ( 4) Server identifier 130.102.20.3
OPTION: 51 ( 4) IP address leasetime 604800 (7d)
OPTION: 81 ( 22) Client FQDN 3-8-8 dd3.jkmrc.uq.edu.au
OPTION: 1 ( 4) Subnet mask 255.255.254.0
OPTION: 15 ( 15) Domainname jkmrc.uq.edu.au
OPTION: 3 ( 4) Routers 192.168.36.30
OPTION: 6 ( 8) DNS server 192.168.36.1,130.102.128.53
OPTION: 44 ( 8) NetBIOS name server 192.168.36.37,192.168.36.15
OPTION: 46 ( 1) NetBIOS node type 8 (H-node)
OPTION: 249 ( 16) MSFT - Classless route 2000000000c0a824 .....®$
1e108266c0a8241e ...f.®$.
---------------------------------------------------------------------------
^C
9652 packets received by filter
0 packets dropped by kernel
#
Curiously, the Win XP machine then said it had two default gateways,
both 192.168.36.30. I suppose there's no real point in this case,
but I wondered if it's possible to cancel the router setting it's
getting from the subnet scope? When I first tried this experiment,
this XP box was being assigned a static IP in another subnet by a
fixed-address statement in the host statement. This resulted in it
having two different default gateways: one from the static IP's
subnet and the other from the static route.
I wonder if there is a way to get the option 249 data to the VPN clients too?
Ray
More information about the dhcp-users
mailing list