On Mon, 16 Jan 2017 at 03:44 -0000, Rob Kampen wrote:
> On 16/01/17 17:12, James A. Peltier wrote:
> > VLANs are your friend, otherwise DHCPD is not going to understand how to
> > properly answer your request for different networks on the same interface.
Be careful about expecting VLANs to provide security. VLANs are for
traffic management are not directly a security tool. They might be
useful in a carefully designed security model.
> Here's an idea - untested.
> set up a network on the single nic - say 192.168.55.xx/24
> set up the dhcp to offer leases from a subset of this network - say
> 192.168.55.128/28
> set up fixed leases based upon mac address from the remainder of the network -
> i.e. outside the subset above - e.g. 192.168.55.1/28
> then route / firewall as required - i.e. trusted known mac address hence IP
> address allowed vs unknown guest given an IP address we can block or otherwise
> handle.
> As indicated, this is not tested but if memory serves, dhcpd will allow this
> kind of allocation.
I do something like this (although FreeBSD is my dhcp server) only I
do like the original proposal, two addresses on the DHCP server and
both subnets configured. Part of my dhcp configuration includes:
shared-network shared {
# Primary subnet
subnet 192.168.30.0 netmask 255.255.255.0 {
option routers 192.168.30.1;
max-lease-time 86400;
default-lease-time 86400;
authoritative;
range 192.168.30.48 192.168.30.59;
}
# Secondary subnet
subnet 192.168.40.0 netmask 255.255.255.0 {
option routers 192.168.40.1;
max-lease-time 86400;
default-lease-time 86400;
authoritative;
}
} # end of shared-network shared
host ip-phone-1 {
hardware ethernet 00:0b:82:xx:xx:xx;
## fixed-address 192.168.30.129;
fixed-address 192.168.40.129;
}
There are other things necessary to make this all work. I also have a
FreeBSD system acting as a router between the subnets and my ISP
connection. I also have a caching dns service on both subnets (I
didn't include the dns related configuration in the example above).
As others have suggested, this also is NOT a security technique. The
systems in each address space will have access to systems in the other
address space even without a router. I don't distinguish between
trusted and untrusted networks, I assume all are untrusted and secure
the systems themselves as needed.
Stuart
--
I've never been lost; I was once bewildered for three days, but never lost!
-- Daniel Boone
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
