Re: DHCP and multiple netsegments

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Chris Knipe wrote:
> 
> I hope you have a better understanding of whats going on now :)  I guess
> we where all to late?

Never too late, and yes, my understanding is improving...

> You do realise that you need to install a DHCP/Relay on your
> firewall/router (the one between the DHCP server and clientsegment2??)

I do.

> I (personally), understand DHCP to only work for hosts which is connected
> to the same physical wire.

And rightfully so.

> My suggestion to you would be to move your DHCP server. 

Yes. As I stated from the beginning, it was a (silly) testsetup. Because
my customer was awaiting a new ISP hookup, I filled time trying out the
misfit concept, thereby crossing my own legs enough to fall over them
:o:
Sorry about all the confusion.

The setup is now:

         NAT   10.0.0.0/16 dhcpd +dhcrelay  eth1  10.1.0.0/16
   ---- router ----------- firewall/router+------ serversegment
                           eth0           |
                                          | eth2  10.2.0.0/16
                                          +------ clientsegment1
                                          |
                                          | eth3  10.3.0.0/16
                                          +------ clientsegment2

On the firewall, I needed to create a route 255.255.255.255 dev eth2 
plus run  dhcrelay -i eth2 -i eth3  to make things work on
clientsegment1.
It seems (again, more testing..) the order of execution is:
  setup routes
  start dhcrelay
  start dhcpd
Dhcpd can be started normally (from rc.d/init.d) without any options.
Didn't have time to test this on clientsegment2, but I expect things to
work alike there with a similar route. Will test it tomorrow.
 
> <snip, about dhcpd placement>, you can secure it in such a way that only
> broadcasts are allowed on the cable, thus not comprimising your
> security...

I see your point. Got some servers to move from the old ISP-line to the
new internal serversegment. Once thats done, I'll implement dhcpd on the
serversegment alongside other servers. Ok, not exactly what you're
suggesting, but it should then be possible to implement rules to control
access to that segment safely enough. Comments are welcomed.

On thing: I'll surely have to continue running dhcrelay on the firewall,
but I know nothing about possible security holes with dhcrelay.
-- 
Regards,
              Mogens Valentin
    Networking - Security - Programming
  Linux configuration and troubleshooting
http://www.danbbs.dk/~monz - monz@danbbs.dk
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux