Problems using class match by user-option

Simon Hobson dhcp1 at thehobsons.co.uk
Tue Dec 19 22:09:17 UTC 2017 

Sven Schumacher <schumacher at tfd.uni-hannover.de> wrote:

> I have the following problem: two many clients within a limited range of
> IP-addresses.
> I would like to sort the clients which get dynamically their IP in two
> pools. One of them is for PXE-Clients or Clients with "official"
> ip-adresses, the other one for "nat"-able Clients. But only
> "known-clients" shall be assigned an address (later on there might be
> the option to assign unknown-clients a third range within a third pool
> with no internet-access and in an isolated ip-range, which gets blocked
> by firewall on all other devices). So I tried the following in dhcpd.conf:
> 
> 
> option tfd-scope-identifier code 230 = text;
> 
> class "gaeste" {
>  match if (config-option tfd-scope-identifier = "gaeste");
> }
> 
> shared-network tfd {
> 
>    subnet 10.69.0.0 netmask 255.255.0.0 {
>      deny unknown-clients;
>      ...
>    }
>    subnet 130.75.69.0 netmask 255.255.255.0 {
>      deny unknown-clients;
>      ...
>    }
> 
>     host test1 {
>         hardware ethernet aa:bb:cc:dd:ee:ff;
>         option tfd-scope-identifier "gaeste";
>     }
>     host test2 {
>         hardware ethernet bb:cc:dd:ee:ff:aa;
>     }
>      pool { # host test2 should get IP of this pool
>          range 130.75.69.50 130.75.69.60;
>          deny members of "gaeste";
>          ....
>      }
>      pool { # host test1 should get IP of this pool, but didn't
>          range 10.69.253.1 10.69.253.254;
>          option routers 10.69.0.251;
>          allow members of "gaeste";
>      }
> }
> 
> 
> 
> But when I did this, test2 still got an IP of the address range
> 130.75.69.50 to 130.75.69.60. So the class-match for the config-option
> seems to be wrong.

There are several things wrong with your config. The first thing is that you need to move your host statements to the global scope - defining them in the shared-network scope doesn't work as you might expect (you can get some very strange inheritance issues).
Similarly, the pools should be defined inside the subnets to which they belong.

Next, don't mix allow and deny statements in a pool - remember that a pool inherits settings/options from a parent subnet/enclosing shared network/global scope. Ted's described how allow and deny work together, but TBH I could never remember it - and it's by far the safest option to simply don't mix them !

I would suggest something along the lines of :

class "pxeclients" {
  match on ?
}
# Check the archives, I'm sure there'll be an example of how to match PXE clients.

class "authhosts"
  match on hardware
}

subclass authhosts 1:aa:bb:cc:dd:ee:ff
subclass authhosts 1:bb:cc:dd:ee:ff:aa
# Check man dhcpd.conf and see the section on classes and subclasses as I've probably got the syntax wrong.


shared-network ...
  subnet a.b.c.d ...
    pool ....
      allow members of "authhosts"
    }
  }

  subnet w.x.y.z ...
    pool ...
      allow members of "pxeclients"
    }
  }

  subnet m.n.o.p ...
    pool ...
      deny members of "authhosts"
      deny members of "pxeclients"
    }
  }
# Optional subnet/pool for "everything else"

}

More information about the dhcp-users mailing list