Assign IP Range to specific AP

Ashley M. Kirchner kirash4 at gmail.com
Mon Apr 25 15:25:58 UTC 2016 

Unfortunately we have neither a managed switch, a spare router port, nor
the ability to use VLANs on the current equipment. While the individual APs
themselves are capable of being configured to use a VLAN id, the "router"
as it is, is simply a multi-homed machine, not a managed switch. And while
I can probably add another NIC to it, I was hoping not to have to do that.
So it seems, from what you are suggesting, that my only options are to
either:
a) add another NIC to the current multi-homed machine and configure that as
the guest network with a completely different subnet, or
b) get a managed switch with VLAN capabilities (not likely to happen), or
alternatively
c) say screw it, and deal with the limitations I'm facing and face the
consequences ... heh.


On Mon, Apr 25, 2016 at 9:09 AM, Simon Hobson <dhcp1 at thehobsons.co.uk>
wrote:

> Ashley M. Kirchner <kirash4 at gmail.com> wrote:
>
> > Our network has three different access points (AP), all of them
> connected to the same subnet. Two of them are being used for the employees
> in the building, and the third one is a guest AP. DHCPd is currently
> configured so that all the pools are denying unknown-clients. For the
> public AP, I have to create a (public) pool that does allow
> unknown-clients, but how would I restrict that pool to only assign IPs to
> devices connecting through that one AP? Right now if any unknown client
> connects through the other APs or directly through the network, that
> (public) pool assigns an IP. I don't want that. I only want the (public)
> pool to assign IPs if the device is connected through that one open AP, and
> deny any other unknown clients that connect through any other means.
> >
> > Is that possible?
>
> To do what you want as written will need a managed switch that can add
> circuit-id to DHCP requests, then you can manage pool availability from
> that.
> But - this is rubbish from a security PoV. Unless you have other measures
> in place (in which case I doubt you'd be asking the question) then any
> client can manually configure an address and access the network - and
> finding out the required details is fairly trivial to do.
>
> I would suggest some re-engineering of the network would be a better
> course of action.
> Split the guests off onto a separate network - then you can stop them
> accessing your internal network as they can right now. Then DHCP would
> simply manage it as two different subnets. To do that just needs a spare
> port on a router.
>
> Better would be to offer both networks across all the APs. Many APs
> support multiple SSIDs (wireless networks), using a different VLAN for each
> SSID. With a managed switch, you trunk the VLANs required to the AP, and
> it's logically much the same as having multiple switches and multiple sets
> of APs - again from the DHCP PoV it's just two (or more) subnets.
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20160425/9ba41ac7/attachment-0001.html>

More information about the dhcp-users mailing list