| View previous topic :: View next topic |
| Author |
Message |
Nerevar
l33t
Joined: 31 May 2008
Posts: 720
|
 Posted: Fri Dec 29, 2017 6:22 pm Post subject: dhcpd.conf for private/guest networks |
 |
|
I'm trying to setup dhcpd for my private and guest networks. My "trusted" clients get a 1.x address and are able to connect to the internet. My guest clients do get a 10.x address as desired but they are unable to connect to the internet.
Is there some other routing option I can set or is this kind of segmentation impossible with net-misc/dhcp?
| Code: | authoritative;
class "trusted" {
match hardware;
}
subclass "trusted" 1:XX:XX:XX:XX:XX:XX; # pc 1
subclass "trusted" 1:XX:XX:XX:XX:XX:XX; # pc 2
subclass "trusted" 1:XX:XX:XX:XX:XX:XX; # pc 3
subclass "trusted" 1:XX:XX:XX:XX:XX:XX; # mobile 1
subclass "trusted" 1:XX:XX:XX:XX:XX:XX; # mobile 2
subclass "trusted" 1:XX:XX:XX:XX:XX:XX; # mobile 3
subclass "trusted" 1:XX:XX:XX:XX:XX:XX; # mobile 4
subnet 192.168.0.0 netmask 255.255.0.0 {
option domain-name-servers 192.168.1.2, 208.67.222.222, 208.67.220.220;
option interface-mtu 1492;
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
pool {
allow members of "trusted";
default-lease-time 3600;
max-lease-time 14400;
option broadcast-address 192.168.1.255;
range 192.168.1.50 192.168.1.200;
}
pool {
default-lease-time 600;
max-lease-time 3600;
option broadcast-address 192.168.10.255;
range 192.168.10.50 192.168.10.200;
}
} |
Note that I tried doing this with multiple subnets as well. That also had the same issue.
Thanks! |
|
| Back to top |
|
 |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54809
Location: 56N 3W
|
| Posted: Fri Dec 29, 2017 6:38 pm Post subject: |
|
|
Nerevar,
What is the output of and ?
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
Nerevar
l33t
Joined: 31 May 2008
Posts: 720
|
| Posted: Fri Dec 29, 2017 6:57 pm Post subject: |
|
|
Hi Neddy,
ifconfig: | Code: | wlo1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:192.168.10.50 Bcast:192.168.10.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1
RX packets:11749 errors:0 dropped:0 overruns:0 frame:0
TX packets:10126 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11698479 (11.6 MB) TX bytes:1383162 (1.3 MB) |
route: | Code: | Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 600 0 0 wlo1
link-local * 255.255.0.0 U 1000 0 0 wlo1
192.168.1.1 * 255.255.255.255 UH 600 0 0 wlo1
192.168.1.2 192.168.1.1 255.255.255.255 UGH 600 0 0 wlo1
192.168.10.0 * 255.255.255.0 U 600 0 0 wlo1 |
Thank you! |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54809
Location: 56N 3W
|
| Posted: Fri Dec 29, 2017 7:14 pm Post subject: |
|
|
Nerevar,
You only have a single IP address on, wlo1 192.168.10.50 which comes from your untrusted pool.
Route shows | Code: | Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 600 0 0 wlo1 |
which is good, as you can at most have a single default route.
| Code: | Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.0 * 255.255.255.0 U 600 0 0 wlo1 |
allows everything on 192.168.10.0/24 to talk among themselves but the internet gateway is at 192.168.1.1, so cannot be reached.
You can try | Code: | | route add default gw 192.168.1.1 |
but I suspect that the kernel will complain that it can't reach 192.168.1.1.
Somewhere you need a static route between the two subnets. I guess you didn't want to do that.
What do you want to achieve?
I have two separate interfaces for my trusted and untrusted subnets, so that they are physically separated.
Both are NATed to the internet.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
Nerevar
l33t
Joined: 31 May 2008
Posts: 720
|
| Posted: Fri Dec 29, 2017 7:23 pm Post subject: |
|
|
| NeddySeagoon wrote: | Nerevar,
What do you want to achieve?
|
Ultimately I'd like to be able to configure a firewall that prevents the untrusted network from reaching the trusted devices (except for the router/dns/dhcp PC). I would like to do this by forcing the untrusted network to a separate ip range if possible but it looks like it's going to take a firewall configuration utilizing MAC addresses.
Edit: You're correct, the 10.x PCs can't ping 192.168.1.1 (they can ping 192.168.1.2). So, that's why they can't get to the Internet. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54809
Location: 56N 3W
|
| Posted: Fri Dec 29, 2017 7:51 pm Post subject: |
|
|
Nerevar,
How is your ASCII art, or a photo of a sketch works.
Draw out the systems and interfaces in your network.
Your router, one trusted and one untrusted system will do, with the IPs they have on all interfaces.
Your public IP on the internet is not required. Just those that start 192.
Post the output of route from those systems.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
Nerevar
l33t
Joined: 31 May 2008
Posts: 720
|
| Posted: Sat Dec 30, 2017 10:07 pm Post subject: |
|
|
Hi Neddy,
I just wanted to say thanks for all your input. It was very much appreciated. You're really awesome on here and have taught so many of us so much!
Regarding this problem, I was able to get what I wanted working in a completely different way following this tutorial:
https://www.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners
Best Regards,
Nerevar |
|
| Back to top |
|
|
|
Networking & Security
