View previous topic :: View next topic |
Author |
Message |
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1099
|
Posted: Mon Sep 23, 2024 8:32 pm Post subject: Should I limit DHCP addresses? |
|
|
I use a Gentoo router and there are a certain number of devices in my network that use DHCP to get an IP address so I only make enough DHCP IPs available for each of them to have one. Sometimes one of the devices can't get an IP and I can see on the router that another one of the devices grabbed/reserved several of them. I'm not sure yet if it grabs a new IP each time it reboots or maybe each time it updates and then reboots. I thought about looking into fixing the device that grabs more than one but is that the right solution? Should my DHCP server be resilient against this sort of behavior by being willing to provide some greater number of IPs? Am I gaining anything security-wise by only making enough IPs available for each of the devices? |
|
Back to top |
|
|
Ralphred l33t
Joined: 31 Dec 2013 Posts: 653
|
Posted: Mon Sep 23, 2024 9:42 pm Post subject: |
|
|
From a security perspective, only having "just enough addresses" isn't as good as adding Code: | pool {
range [start ip] [end ip];
deny unknown-clients; #<<this
host [hostname1] { hardware ethernet [mac address1]; } #<<and these to identify allowed clients
host [hostname2] { hardware ethernet [mac address2]; }
}#endpool
| into your pool definition, but I'm pretty strict about what gets an IP and what doesn't - normally if you aren't a "know host" you don't get one.
I have a #'d out pool in the middle of the subnet that does allow unknown hosts for when I have guests, add new hardware or am feeling lazy etc.
You should find that if you increase the lease time of the pool (for at least as long as you have things "switched off" normally) you'll end up with a "semi-fixed ip address assignment", as something rebooting will just get it's old address rebound. But if you have a specific device that's giving you grief just use Code: | host hostname {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address aaa.bbb.ccc.ddd;
} | and make it pre-assigned so it doesn't pollute the "free" section of the pool.
I actually use my dhcpd.conf as the "authoritative source" of what is on my network, so it's full of comments and descriptions, and I'm pretty obsessive about updating it for that reason. |
|
Back to top |
|
|
Bob P Advocate
Joined: 20 Oct 2004 Posts: 3374 Location: USA
|
Posted: Sun Oct 20, 2024 6:25 pm Post subject: |
|
|
If you're talking about a home system where you're going to have physical control over all of the devices on the LAN, it might make sense to let the devices believe that they are obtaining random IP addresses by DHCP, but to have your router (DHCP server) assign static IP addresses to them based upon MAC addresses. From a configuration standpoint this makes things easy -- you allow all of your LAN devices to be agnostic devices that don't require any setup tweaking other than being told to look for an IP address by DHCP, while you maintain all of the discipline for handing out IP addresses via the router's config file (as previously mentioned). (assuming that your router hosts your DHCP server)
Rambling a bit:
You can design your static IP assignments so that your router places any device that may come along on the LAN into a designated range of IP addresses on a specific subnet. For example, you could have any box that performs any sort of server type role placed into one range of IP addresses/subnet, any device that is recognized as an authorized client device to be assigned into another range of IP addresses/subnet, and any device that is unrecognized to be assigned into another range of IP addresses/subnet. Then you could write your firewall rules as needed to limit which devices can access which other group of devices on other subnets of the LAN, which devices can access the internet only, etc. (In my case any strange MAC address that access the LAN via a wired connection is granted internet access only, and has no access to other subnets. This works for visitors who want internet access but don't need to access my devices.)
Back to leases:
Regarding the problem of having a device that's accumulating a number of IP addresses -- look at your lease duration. You don't want to have a device holding onto a lease (and the associated IP address) longer than is practical. If your lease durations are long, and your rationed number of IP addresses are few, I could see where you could run out of IP addresses if one device keeps asking for new ip addresses.
What's the benefit to be had from limiting the number of addresses available on your LAN? Or having very long lease durations?
There might be a better way to do this, but I like the aforementioned idea of static ip addressing by your DHCP server, based on MAC address. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|