Shared Network Behind a Relay

Jeffrey Hutzelman jhutz at cmu.edu
Tue Nov 4 01:44:07 UTC 2008 

--On Monday, November 03, 2008 04:54:19 PM -0700 commo dore 
<commonanog at gmail.com> wrote:

> Ive been looking for a while on this issue, and I havent had much luck
>
> Basic concept is a centralized DHCP Server
>
> Known users      -->
>                                   (eth2) Router A
> (eth1)-------------------->(eth1) DHCP Server
> Unknown Users --->

This diagram makes no sense.  But then, ASCII art seldom does when the 
artist was not using a fixed-width font.  Fortunately, your description is 
fairly clear.


> I want to assign unknown users an iprange of 10.0.0.0/24 untill they are
> added to known lists then they will get an ip in the public ip range(ie
> A.B.0.0/24)
>
> Basicly an unkown users can only reach internal devices, and cant "go out"
> to the public internet
>
> so something like this:
>
> shared-network test {
>         subnet A.B.0.0 netmask 255.255.255.0 {
>                 option routers A.B.0.1;
>                 range A.B.0.200 A.B.0.210;
>                 deny unknown-clients;
>         }
>         subnet 10.0.0.0 netmask 255.255.255.0 {
>                 option routers 10.0.0.1;
>                 range 10.0.0.100 10.0.0.1.200;
>                 allow unknown-clients;
>         }
> }
>
> Now Router A
> eth2 A.B.0.1
> eth2:0 10.0.0.1
> DHCP Server
> eth1 A.B.0.100
>
> So whenever the Relay on Router A forwards the request the giaddr is
> A.B.0.1 so it only wants to assign an ip address back in that range. (and
> that works just fine).  Somehow I need to set it so that if giaddr is
> A.B.0.1 and its an unknown host then assign it in the public range.

The configuration you've described should do that.

The DHCP server doesn't care what subnet the giaddr is in; in only cares 
what shared-network it is in.  So, if your router always sets giaddr to 
A.B.0.1, the DHCP server will know the client is on the "test" 
shared-network, and can/will assign addresses out of any pool on that 
shared-network which is available to the client.

You've said that your DHCP server's interface has address A.B.0.100, which 
is on the same A.B.0.0/24 subnet as your clients.  If the DHCP server is 
really connected to that network, you shouldn't need a relay agent at all.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Carnegie Mellon University - Pittsburgh, PA

More information about the dhcp-users mailing list