[CentOS] Centos 7 dhcpd failure to allow a 2nd network over same interal nic

Wed Jan 18 17:37:49 UTC 2017
Stuart Barkley <stuartb at 4gh.net>

On Mon, 16 Jan 2017 at 03:44 -0000, Rob Kampen wrote:

> On 16/01/17 17:12, James A. Peltier wrote:
> > VLANs are your friend, otherwise DHCPD is not going to understand how to
> > properly answer your request for different networks on the same interface.

Be careful about expecting VLANs to provide security.  VLANs are for
traffic management are not directly a security tool.  They might be
useful in a carefully designed security model.

> Here's an idea - untested.
> set up a network on the single nic - say 192.168.55.xx/24
> set up the dhcp to offer leases from a subset of this network - say
> 192.168.55.128/28
> set up fixed leases based upon mac address from the remainder of the network -
> i.e. outside the subset above - e.g. 192.168.55.1/28
> then route / firewall as required - i.e. trusted known mac address hence IP
> address allowed vs unknown guest given an IP address we can block or otherwise
> handle.
> As indicated, this is not tested but if memory serves, dhcpd will allow this
> kind of allocation.

I do something like this (although FreeBSD is my dhcp server) only I
do like the original proposal, two addresses on the DHCP server and
both subnets configured.  Part of my dhcp configuration includes:

    shared-network shared {
        # Primary subnet
        subnet 192.168.30.0 netmask 255.255.255.0 {
            option routers 192.168.30.1;
            max-lease-time 86400;
            default-lease-time 86400;
            authoritative;

            range 192.168.30.48 192.168.30.59;
        }

        # Secondary subnet
        subnet 192.168.40.0 netmask 255.255.255.0 {
            option routers 192.168.40.1;
            max-lease-time 86400;
            default-lease-time 86400;
            authoritative;
        }
    } # end of shared-network shared

    host ip-phone-1 {
        hardware ethernet 00:0b:82:xx:xx:xx;
        ## fixed-address 192.168.30.129;
        fixed-address 192.168.40.129;
    }

There are other things necessary to make this all work.  I also have a
FreeBSD system acting as a router between the subnets and my ISP
connection.  I also have a caching dns service on both subnets (I
didn't include the dns related configuration in the example above).

As others have suggested, this also is NOT a security technique.  The
systems in each address space will have access to systems in the other
address space even without a router.  I don't distinguish between
trusted and untrusted networks, I assume all are untrusted and secure
the systems themselves as needed.

Stuart
-- 
I've never been lost; I was once bewildered for three days, but never lost!
                                        --  Daniel Boone