Hi,
> I'm running some tests right now, hence th dhcpd placement in the wrong
> place in front of the firewall.
> Of course the dhcpd will be placed correctly behind the firewall soon,
> and the DMZ will be NAT'ed on the router.
>
> (IP#'s changed, but resembles the real ones; netmasks are the aktual
> ones)
>
> 233.147.155.0 10.10.0.0
> 255.255.255.192 255.255.0.0
> ---- router -----+----- firewall/router ---- clientsegment2
> |
> +--- dhcpserver
> |
> +--- clientsegment1
>
> I can start dhcpd using /etc/rc.d/init.d/dhcpd start without problems.
> IP#'s are being correctly assigned for clientsegment1, but not for
> clientsegment2.
> Everything works on clientsegment2 when using static IP#'s.
> During tests, no rules are defined on the firewall, only pure
> masquerading, all access works the way it's supposed to (using static
> IP#'s).
^
> On the dhcpserver, I've created the route 255.255.255.255 dev eth0 due
> to
> w95 clients (w98 works without this rule with my own non-segmented
> setup).
Let me guess, the 255.255.255.255 route is on eth0, which is connected to
clientsegment1?
Because of this, your DHCP broadcasts to the windows machines on the other
hosts, but they are not received becuase you route them to only the one
segment. You need to in someway get 255.255.255.255 routed to all your
segments.
> I also tried to add the same route on the firewall/router, on both eth1
> and eth1, but not on both simultaneously. Just to try it...
> Could I have a problem routing broadcasts between eth0 and eth1?
Exactly. You explictly route all the broadcasts to only the first
clientsegment. What about the others?
> Haven't yet tried route add -net 255.255.255.0 dev eth0 as stated as
> another possible solution in /usr/doc/dhcp-xxxx/README .
The same will happen. You will only route the broadcasts to one segment,
not all the segments.
> If I don't manage to solve the problem by tomorrow, I'll have to
> implement the dhcp service on the firewall itself, which I don't like.
> Well, at least until I can figure out what's happening...
I hope you have a better understanding of whats going on now :) I guess we
where all to late?
BTW: Now that I had a look again at your net layout that you gave... You
do realise that you need to install a DHCP/Relay on your firewall/router
(the one between the DHCP server and clientsegment2??)
See, here's the catch.
I (personally), understand DHCP to only work for hosts which is connected to
the same physical wire. You allready made the mistake of routing all your
broadcasts (255.255.255.255) to only the one segment, as I pointed out
previously. Nevertheless, lets imagine that your routing is sorted and
working correctly. The DHCP server now broadcasts the requests on both
segments (wires), now, your clientsegment2 will STILL not receive the DHCP
broadcasts. Why?
There is a wire-break on your firewall/router machine. Traffice goes in on
one nic, and out on a second nic. In otherwords, you cannot broadcast all
the way. You will def need some advance configs on that machine in the
middle. My suggestion to you would be to move your DHCP server. It's going
to save you allot of trouble. Or perhaps, have a look at the following net
layout (I don't know whether this will be possible for you):
233.147.155.0 10.10.0.0
255.255.255.192 255.255.0.0
---- router -----+----- firewall/router ---- clientsegment2
| |
+---------- dhcpserver -----------+ <--
|
+--- clientsegment1
If you can just get a wire there where indecated, you can secure it in such
a way that only broadcasts are allowed on the cable, thus not comprimising
your security, and as far as I can see, all your troubles will be sorted
(Cept for the routing of course).... Another possible solution might be to
connect the aditional wire to clientsegment1 (so that the two segments are
connected by wire). This will mean your DHCP server only needs to broadcast
to one segment (end of your routing trouble), and both segments will receive
their packet information. Once again, you can fine tune routing and such
for the clients with the use of firewalls and ip filters and such.
---
Regards,
Chris Knipe
Cell: (083) 430-8151
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
