Problem with shared-network

Glenn Satchell glenn.satchell at uniq.com.au
Fri Jun 5 06:10:49 UTC 2015 

In addition to the subnet and pool declarations you also need "host"
statements for each of the clients you want to be "known". A client
matches the "deny unknown-clients" if it has a host statement, otherwise
it matches "allow unknown-clients".

host "known1" { hardware ethernet aa:bb:cc:dd:ee:ff; }

shared-network my-net {
        subnet 192.168.200.0 netmask 255.255.255.0 {
                pool {
                        deny unknown-clients;
                        range 192.168.200.194 192.168.200.200;
                } # pool declaration
         subnet 10.111.111.0 netmask 255.255.255.0 {
                 pool {
                        allow unknown-clients;
                        range 10.111.111.5 10.111.111.200;                 }
        }
}

regards,
-glenn


On Fri, June 5, 2015 3:38 am, robert at spotswood-computer.net wrote:
> <aside>I use ignore rather than deny to keep my logs cleaner. Deny logs
> every attempt. The ignore just ignores. And yes, I realize mac filtering
> can be easily defeated by a knowledgeable opponent. A weak attempt at
> security is not my purpose for using mac lists.</aside>
>
> I did not have pools. Now I do. Unfortunately, I still get the same
> behavior. Just for kicks, I reversed the order of the subnets, and to my
> surprise, still got the same behavior, except now the 192 subnet still
> works. So the pools helped. This makes me believe the problem is the 10
> subnet declaration.
>
> I removed the 192 subnet and the shared-network and just left the 10
> subnet. When I attempted to restart the DHCP server, I got the no subnet
> declaration for eth0 and it exited. Adding eth0:1 to both the command line
> and /etc/defaults/isc-dhcp-server did not change the result, only the
> error message: "No subnet declaration for eth0:1 (No IPv4 addresses)"
>
> So despite the shared-network statement, the DHCP server still doesn't
> recognize virtual interfaces??? Can this be right?
>
>> I'm not an expert, but I have something like this and did a little
>> digging. Documentation seems to indicate the allow/deny you are trying
>> is
>> a pool-level declaration, and that's where I'm using them successfully.
>> You don't appear to have a pool defined unless it's part of what you
>> snipped.
>>
>> Oh, and they use allow/deny rather than allow/ignore, which may be
>> pertinent. I certainly don't know all the options that work or don't.
>>
>> Is it possible that what you want is something like
>>
>> shared-network my-net {
>>         subnet 192.168.200.0 netmask 255.255.255.0 {
>>                 pool {
>>                         deny unknown-clients;
>>                         range 192.168.200.194 192.168.200.200;
>>                 } # pool declaration
>>         subnet #second subnet
>>                  pool { #second pool declaration }
>>
>> ________________________________________
>> From: dhcp-users-bounces at lists.isc.org
>> [dhcp-users-bounces at lists.isc.org]
>> on behalf of robert at spotswood-computer.net
>> [robert at spotswood-computer.net]
>> Sent: Thursday, June 04, 2015 11:16 AM
>> To: dhcp-users at lists.isc.org
>> Subject: Problem with shared-network
>>
>> I have a Debian 7.0 running isc-dhcp-server 4.2.2.
>>
>> My server has a single NIC, and using iproute, I've added additional
>> addresses (some lines snipped for brevity):
>>
>> eth0      Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
>>           inet addr:192.168.220.111  Bcast:192.168.220.255
>> Mask:255.255.255.0
>>
>> eth0:1    Link encap:Ethernet  HWaddr 00:50:56:XX:XX:XX
>>           inet addr:10.111.111.1  Bcast:10.255.255.255
>> Mask:255.255.255.0
>>
>> My goal is for the dhcp server to hand out unknown clients addresses
>> from
>> the 10.111.111.X pool, and known client to get something from the
>> 192.168.220.X pool. Since these are on the same subnet, I [believe] this
>> requires a shared-network block. My dhcpd.conf file looks like (with
>> comments and global options stripped out for brevity):
>>
>> shared-network my-net {
>>         subnet 192.168.200.0 netmask 255.255.255.0 {
>>                 range 192.168.200.194 192.168.200.200;
>>                 range 192.168.200.215 192.168.200.250;
>>
>>                 ignore unknown-clients;subnet 10.111.111.0 netmask
255.255.255.0 {
>>                 range 10.111.111.5 10.111.111.200;

>>   <bunch of options removed>
>>         } #subnet 192.168.200.0
>>
>>         subnet 10.111.111.0 netmask 255.255.255.0 {
>>                 range 10.111.111.5 10.111.111.200;
>>                 allow unknown-clients;
>> <bunch of options removed>
>>         } #subnet 10.111.111.0
>> } #shared-network
>>
>> It runs, but only gives out 192 addresses. If I reverse the order, so
>> the
>> 10 subnet declaration comes first, then it hands out 10 addresses, but
>> not
>> 192 addresses.
>>
>> Any ideas what I am doing wrong?
>>

More information about the dhcp-users mailing list