Saturday, May 28, 2011

howto: DHCPD with multiple subnets on the same interface

It took me tons of Google research to figure this out. From a mix of various posts and forums, I was able to piece together how to do this interesting little setup.

The Scenario: You have a DHCP server running on your gateway (or other machine), and you want to segregate different devices to their own subnet. For example, say you have a group of terminals or thin clients you want on one subnet, your VOiP phones on another subnet, and people using laptops on another subnet.
Tools Needed: the ISC DHCP Server.

  • Ubuntu Linux
    • apt-get install isc-dhcp-server
  • Gentoo Linux
    • emerge dhcp

My network is dual-firewalled (at least from the perspective of my Thin Clients). My hardware firewall has a public IP address, and of course a lan address.

  • The lan address of my hardware firewall is 192.168.0.1 with a netmask of 255.255.255.0.
  • The lan address of my Thin Client Server is 10.1.0.1 with a netmask of 255.255.255.0
  • The Thin Client Server has a SECOND lan address of 10.0.1.1 with a netmask of 255.255.255.0

Why so many ip addresses you ask?

So here's what we do, we are going to take our VOiP phones, and put them on the 192.168.0.1 subnet, because they dont need any other services (besides DNS and DHCP) off of our server. This well help avoid collisions on the network, and hopefully keep our conversations crisp and clear.

We are then going to take our Thin Clients and again give them their own subnet for the same reason. There is going to be alot of traffic between the clients and server, so we want to avoid disrupting phone the phone service.

The "everyone else" catagory: This could be employee laptops who need no direct interaction with our server (besides DHCP and DNS). But I also wanted them to be on a different subnet than the phone system.


The VOiP Phones get their IP address from the local DHCP server. Since they are then on the same subnet as the firewall, they are good to go. However, the Thin Clients and "Other Devices" are on 2 other subnets each. Therefor, the server has to act as a NAT for those devices if they wish to access the Internet. The IPTABLES rules for the server to make it use Network Address Translation for the 2 subnets on 10.* is no different than normal.
The trick is getting your DHCP server to assign addresses to all these different subnets. Here's the config!


authoritative;

# match the MAC addresses of our VOIP phones
class "voip"    { match if substring (hardware,1,3) = 00:04:f2; }

# match the MAC addresses of our LTSP clients.
class "clients" { match if substring (hardware,1,3) = 00:e0:c5; }

shared-network lan {

        # the phones
        subnet 192.168.0.0 netmask 255.255.255.0 {
                pool {
                        range 192.168.0.128 192.168.0.254;
                        allow members of "voip";
                }
                option routers 192.168.0.1;
                option domain-name-servers 192.168.0.2;
                option broadcast-address 192.168.0.255;
                option subnet-mask 255.255.255.0;
        }
        
        # unknown devices / laptops / tables / cellphones
        subnet 10.1.0.0 netmask 255.255.255.0 {
                pool {
                        range 10.1.0.5 10.1.0.128;
                        allow unknown-clients;
                }
                option routers 10.1.0.1;
                option domain-name-servers 10.1.0.1;
                option broadcast-address 10.1.0.255;
                option subnet-mask 255.255.255.0;
        }

        # Linux Terminals
        subnet 10.0.0.0 netmask 255.255.255.0 {
                pool {
                        range 10.0.0.5 10.0.0.128;
                        allow members of "clients";
                }
                option routers 10.0.0.1;
                option domain-name-servers 10.0.0.1;
                option domain-name "your.domain.name.here";
                option broadcast-address 10.0.0.255;
                option subnet-mask 255.255.255.0;

                option root-path "/opt/ltsp/i386";
                if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" {
                        filename "ltsp/i386/pxelinux.0";
                } else {
                        filename "ltsp/i386/nbi.img";
                }
        }

} # end shared net
Edit 2013-03-19: Tinman has another guide over here with even more advanced features.

5 comments:

Sung Jin Woo said...

match if substring (hardware,1,3)
dear author can u explain about line of coding. i'm not quite understand

lovelutino said...

Each vendor that produces networking (or virtual networking) devices has their own MAC address ranges, and can be identified by the first three bytes of the address.

Example

Xensource 00:16:3E
VMware 00:05:69

Unknown said...

You share the nice information about thin software services & system services.

Thin Client Hardware & RDP Thin Client

Francisco said...

In my case, all known clients are laptops and what I want is to separate them into different groups. I know the MAC address of each computer, but I do not assign one by one. How do I configure the server? How do I create these groups of MAC addresses?

Unknown said...

Thank you much!