Chris Knipe wrote: > > > > In some revere cases, this may cause some confusion with some > > > applications and routing from a client side. I am not to sure however. > > > > Hmm, lack of insight prevents me from seeing a problem here. > > Are you thinking of apps, that should not be able to 'see' across > > different segments, courtesy of firewallrules, but may be able to do so > > due to the broadcasts allowed by dhcrelay? > > The latter should AFAIK broadcast only dhcp-stuff. > > Like I pointed out, I am talking under correction. But I believe that > (especially NT servers), relies on broadcasts for the ability to change / > update / figure out routes. The bottom of the line is just that arp > cache may become messy if and when a server / client on one segment ads a > machine to asp while the machine is on another segment. In this case, > the client will not send data to its default gateway, and thus the route > will be seen as a local one, which in fact it is not. Bottom of the > line, the client will not route. > > There is however options you can specify in your DHCP scope to 1) force > all clients to ALWAYS use the default gateway for routing, and 2) you can > force a broadcast address to be used, which means that you will be able > to perhaps minimise the mess of broadcasts :) Could well be you can skib this 'talking under correction' :o: I got some nic problems sorted out today, so I can have the five interfaces I need. DHCP works fine over the three segments needing DHCP. However, it's a bit worse when it comes to normal traffic. Sometimes I can get a connection from a client through the firewall/router, especially immidiately after rebooting the firewall. Shortly after, I get no replies, or it takes an immensely long time. I can ping any interface, but not all traceroute's goes through. Unfortunately, my customer closes early, so I didn't have time to script tcpdumps, but from what I remember, I saw some 10.12.255.255 broadcasts on a 10.12.0.0 segment. Now I have the feeling that those 255.255.255.255 routes nessesary for dhcp and dhcrelay to work, are mixing up normal broadcasts; not an expert on the subject, though. As you said, I can force specific broadcasts; true, but this will only work _after_ the client gets its config, right? M$ clients still need that 4x255 route to locate the dhcp-server. Didn't have time to test this either. I do specify a router on each segment, i.e. 10.13.0.1 for a 10.13.0.0 net: subnet 10.13.0.0 netmask 255.255.0.0 { default-lease-time 86400; # One day max-lease-time 604800; # seven days option subnet-mask 255.255.0.0; option routers 10.13.0.1; range 10.13.0.10 10.13.0.250; } -- Regards, Mogens Valentin Networking - Security - Programming Linux configuration and troubleshooting http://www.danbbs.dk/~monz - monz@danbbs.dk - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org