On Mon, 16 Jan 2017 at 03:44 -0000, Rob Kampen wrote:
On 16/01/17 17:12, James A. Peltier wrote:
VLANs are your friend, otherwise DHCPD is not going to understand how to properly answer your request for different networks on the same interface.
Be careful about expecting VLANs to provide security. VLANs are for traffic management are not directly a security tool. They might be useful in a carefully designed security model.
Here's an idea - untested. set up a network on the single nic - say 192.168.55.xx/24 set up the dhcp to offer leases from a subset of this network - say 192.168.55.128/28 set up fixed leases based upon mac address from the remainder of the network - i.e. outside the subset above - e.g. 192.168.55.1/28 then route / firewall as required - i.e. trusted known mac address hence IP address allowed vs unknown guest given an IP address we can block or otherwise handle. As indicated, this is not tested but if memory serves, dhcpd will allow this kind of allocation.
I do something like this (although FreeBSD is my dhcp server) only I do like the original proposal, two addresses on the DHCP server and both subnets configured. Part of my dhcp configuration includes:
shared-network shared { # Primary subnet subnet 192.168.30.0 netmask 255.255.255.0 { option routers 192.168.30.1; max-lease-time 86400; default-lease-time 86400; authoritative;
range 192.168.30.48 192.168.30.59; }
# Secondary subnet subnet 192.168.40.0 netmask 255.255.255.0 { option routers 192.168.40.1; max-lease-time 86400; default-lease-time 86400; authoritative; } } # end of shared-network shared
host ip-phone-1 { hardware ethernet 00:0b:82:xx:xx:xx; ## fixed-address 192.168.30.129; fixed-address 192.168.40.129; }
There are other things necessary to make this all work. I also have a FreeBSD system acting as a router between the subnets and my ISP connection. I also have a caching dns service on both subnets (I didn't include the dns related configuration in the example above).
As others have suggested, this also is NOT a security technique. The systems in each address space will have access to systems in the other address space even without a router. I don't distinguish between trusted and untrusted networks, I assume all are untrusted and secure the systems themselves as needed.
Stuart