On Mon, 16 Jan 2017 at 03:44 -0000, Rob Kampen wrote: > On 16/01/17 17:12, James A. Peltier wrote: > > VLANs are your friend, otherwise DHCPD is not going to understand how to > > properly answer your request for different networks on the same interface. Be careful about expecting VLANs to provide security. VLANs are for traffic management are not directly a security tool. They might be useful in a carefully designed security model. > Here's an idea - untested. > set up a network on the single nic - say 192.168.55.xx/24 > set up the dhcp to offer leases from a subset of this network - say > 192.168.55.128/28 > set up fixed leases based upon mac address from the remainder of the network - > i.e. outside the subset above - e.g. 192.168.55.1/28 > then route / firewall as required - i.e. trusted known mac address hence IP > address allowed vs unknown guest given an IP address we can block or otherwise > handle. > As indicated, this is not tested but if memory serves, dhcpd will allow this > kind of allocation. I do something like this (although FreeBSD is my dhcp server) only I do like the original proposal, two addresses on the DHCP server and both subnets configured. Part of my dhcp configuration includes: shared-network shared { # Primary subnet subnet 192.168.30.0 netmask 255.255.255.0 { option routers 192.168.30.1; max-lease-time 86400; default-lease-time 86400; authoritative; range 192.168.30.48 192.168.30.59; } # Secondary subnet subnet 192.168.40.0 netmask 255.255.255.0 { option routers 192.168.40.1; max-lease-time 86400; default-lease-time 86400; authoritative; } } # end of shared-network shared host ip-phone-1 { hardware ethernet 00:0b:82:xx:xx:xx; ## fixed-address 192.168.30.129; fixed-address 192.168.40.129; } There are other things necessary to make this all work. I also have a FreeBSD system acting as a router between the subnets and my ISP connection. I also have a caching dns service on both subnets (I didn't include the dns related configuration in the example above). As others have suggested, this also is NOT a security technique. The systems in each address space will have access to systems in the other address space even without a router. I don't distinguish between trusted and untrusted networks, I assume all are untrusted and secure the systems themselves as needed. Stuart -- I've never been lost; I was once bewildered for three days, but never lost! -- Daniel Boone