[opensuse] DHCP server, VLAN and subnets
I have configured my openSUSE 11.4 firewall with a VLAN interface and a different subnet from my main one. I have configured the DHCP server with the new address range, but for some reason I still get the main subnet addresses assigned instead. I don't see any way to say which interface a DHCP range applies to. Is there anyway to configure the DHCP server so that the correct addresses are assigned on the VLAN interface? tnx jk -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
I have configured my openSUSE 11.4 firewall with a VLAN interface and a different subnet from my main one. I have configured the DHCP server with the new address range, but for some reason I still get the main subnet addresses assigned instead. I don't see any way to say which interface a DHCP range applies to. Is there anyway to configure the DHCP server so that the correct addresses are assigned on the VLAN interface?
This guy seems to have an answer: http://blog.tinle.org/?p=300
The trick was to make all the subnet declaration, but don’t use the “shared-network” statement. Make sure the DHCP relay are setup correctly, and when client make DHCP requests, they will arrive at the DHCP with the relay address in it as the GIADDR (gateway IP address). The DHCP will see that and know which subnet it should provide addresses from.
-- Per Jessen, Zürich (16.2°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
This guy seems to have an answer:
I don't think that's quite what I'm looking for. I'm not using relays. I just have the firewall with the regular Ethernet LAN plus a VLAN. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Per Jessen wrote:
This guy seems to have an answer:
I don't think that's quite what I'm looking for. I'm not using relays. I just have the firewall with the regular Ethernet LAN plus a VLAN.
You're right, it works for him because he has dhcp relays in between. You need to have dhcp dish out from a subnet depending on which interface a request came in on. Hmmm. -- Per Jessen, Zürich (23.4°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
You're right, it works for him because he has dhcp relays in between. You need to have dhcp dish out from a subnet depending on which interface a request came in on. Hmmm.
That's the general idea, but for some reason the DHCP server thinks it's OK to hand out addresses on the wrong subnet. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Per Jessen wrote:
You're right, it works for him because he has dhcp relays in between. You need to have dhcp dish out from a subnet depending on which interface a request came in on. Hmmm.
That's the general idea, but for some reason the DHCP server thinks it's OK to hand out addresses on the wrong subnet.
I don't think the DHCP server has a concept of which interface a request came in on. I'm sure you've googled this already - every interesting hit I see seems to up talking about using a dhcp relay. You could perhaps do that, even if you're on a single box. -- Per Jessen, Zürich (23.7°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
I don't think the DHCP server has a concept of which interface a request came in on.
As I mentioned in another note, it's not a problem for Cisco and Adtran. I have set up network with VLANs on multiple switches and a router. You just configure an IP interface for each VLAN and the router sorts things out. One thing a router can use is the interface corresponding to the MAC address. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
One thing a router can use is the interface corresponding to the MAC address.
Here's an example. This arp cache shows the connections before I put the computer E520 on the VLAN. nexus7.xyz.net (172.16.1.95) at 08:60:6e:a8:96:0d [ether] on eth2 default (99.230.168.1) at 00:1f:ca:20:46:da [ether] on eth0 linux.xyz.net (172.16.1.10) at 00:15:f2:9c:a7:ac [ether] on eth2 E520.xyz.net (172.16.1.40) at 38:59:f9:e0:7d:5d [ether] on eth2 And after I put it on the VLAN and manually assign the IP address. nexus7.xyz.net (172.16.1.95) at 08:60:6e:a8:96:0d [ether] on eth2 default (99.230.168.1) at 00:1f:ca:20:46:da [ether] on eth0 ? (192.168.5.50) at 38:59:f9:e0:7d:5d [ether] on eth2.5 linux.xyz.net (172.16.1.10) at 00:15:f2:9c:a7:ac [ether] on eth2 E520.xyz.net (172.16.1.40) at <incomplete> on eth2 As you can see, the arp cache shows the computer as now on the VLAN eth2.5 with address 192.168.5.50. Since this is the router computer, that info is available to the DHCP server. The question mark in the host name is due to there not being any DNS entry for that IP address. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Thu, 22 Aug 2013 16:05:47 +0200 Per Jessen <per@computer.org> пишет:
I don't think the DHCP server has a concept of which interface a request came in on.
Of course it has. Otherwise multihomed DHCP server would not be possible at all. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrey Borzenkov wrote:
I don't think the DHCP server has a concept of which interface a request
came in on. Of course it has. Otherwise multihomed DHCP server would not be possible at all.
So, why hasn't the openSUSE server figured that out? As I posted in another note, the arp cache shows which interface the MAC address came from. If there's no resolution to this, I'll have to file a bug report, as this behaviour is sub par for a router. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Per Jessen wrote:
You're right, it works for him because he has dhcp relays in between. You need to have dhcp dish out from a subnet depending on which interface a request came in on. Hmmm. That's the general idea, but for some reason the DHCP server thinks it's OK to hand out addresses on the wrong subnet.
BTW, Cisco routers will only hand out addresses appropriate for the subnet. In a network where VLANs are used, you can only get from one VLAN to another via a router. This is something Cisco supports quite well and I have also done it with Adtran routers. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Wed, 21 Aug 2013 22:33:47 -0400 James Knott <james.knott@rogers.com> пишет:
I have configured my openSUSE 11.4 firewall with a VLAN interface and a different subnet from my main one. I have configured the DHCP server with the new address range, but for some reason I still get the main subnet addresses assigned instead. I don't see any way to say which interface a DHCP range applies to. Is there anyway to configure the DHCP server so that the correct addresses are assigned on the VLAN interface?
This should just work assuming that your VLANs are indeed physically separate and client and server each has interface in new VLAN and DHCP server is configured to serve it. But you did not provide any information about network topology nor network configuration of client and server. From your post it is not even clear where DHCP server runs, which DHCP server it is etc. Show and explain your network topology for a start. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrey Borzenkov wrote:
This should just work assuming that your VLANs are indeed physically separate and client and server each has interface in new VLAN and DHCP server is configured to serve it. But you did not provide any information about network topology nor network configuration of client and server. From your post it is not even clear where DHCP server runs, which DHCP server it is etc.
Show and explain your network topology for a start.
The whole point of VLANs is they're not physically separate. They share the same switches and cables with other VLANs. For example, I have set up networks with VoIP phones on a different VLAN. The phones are on the same switch as computers and, in fact, VoIP phones have a built in switch for the computer. This means the computer and phone are sharing the same cable and switch port. The phones are on their own VLAN so that priority can be applied to their data and also to keep the phone network away from "curious" users. On large networks, there is often a management VLAN, where the hardware can be managed away from users. As for my own network, I have , as shown in an earlier post, my default route to the Internet is on eth0 and the local LAN on eth2, with the VLAN eth2.5. VLANs are shown with a decimal number on the physical interface number. Regardless, a DHCP server, with mulitple address pools and subnets should not be handing out address that do not match the subnet they're sent on. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Thu, 22 Aug 2013 12:20:44 -0400 James Knott <james.knott@rogers.com> пишет:
Andrey Borzenkov wrote:
This should just work assuming that your VLANs are indeed physically separate and client and server each has interface in new VLAN and DHCP server is configured to serve it. But you did not provide any information about network topology nor network configuration of client and server. From your post it is not even clear where DHCP server runs, which DHCP server it is etc.
Show and explain your network topology for a start.
The whole point of VLANs is they're not physically separate. They share the same switches and cables with other VLANs. For example, I have set up networks with VoIP phones on a different VLAN. The phones are on the same switch as computers and, in fact, VoIP phones have a built in switch for the computer. This means the computer and phone are sharing the same cable and switch port. The phones are on their own VLAN so that priority can be applied to their data and also to keep the phone network away from "curious" users. On large networks, there is often a management VLAN, where the hardware can be managed away from users.
As for my own network, I have , as shown in an earlier post, my default route to the Internet is on eth0 and the local LAN on eth2, with the VLAN eth2.5. VLANs are shown with a decimal number on the physical interface number.
This is configuration of a single server. It does not say anything about how DHCP server and client are interconnected. Why do you assume that packets from your client are going via eth2.5 in the first place? Weak host will accept packets targeted to any of its configured addresses on any interface. So far it simply sounds like DHCP requests are coming to your server via the wrong interface.
Regardless, a DHCP server, with mulitple address pools and subnets should not be handing out address that do not match the subnet they're sent on.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrey Borzenkov wrote:
This is configuration of a single server. It does not say anything about how DHCP server and client are interconnected.
Why do you assume that packets from your client are going via eth2.5 in the first place? Weak host will accept packets targeted to any of its configured addresses on any interface.
So far it simply sounds like DHCP requests are coming to your server via the wrong interface.
As I mentioned earlier, when I manually configured the computer on the VLAN, the arp cache showed it to be on the VLAN interface. The computer is a notebook connected via WiFi, The access point is confiugred with multiple SSIDs, one of which is on the VLAN. When I connect to that SSID/VLAN, DHCP assigns an address for the main network and not the VLAN subnet. BTW, I am not a novice at this sort of thing. In my work, I have set up networks for customers that have VLANs, multiple SSIDs on access points and DHCP servers that properly support multiple subnets. The only difference is that on those jobs I was using routers made by Adtran, but here I'm using openSUSE for a router. If I had an Adtran or Cisco router here, I would have had this up & running in a few minutes. The VLAN is set up properly and works. The DHCP server appears to be configured properly, but it still issues the wrong addresses for the subnet. As I mentioned, the arp cache shows the computer to be on the VLAN eth2.5, so the DHCP request would not be on the wrong interface. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Thu, 22 Aug 2013 13:30:55 -0400 James Knott <james.knott@rogers.com> пишет:
The VLAN is set up properly and works. The DHCP server appears to be configured properly, but it still issues the wrong addresses for the subnet.
Can you sniff eth2 and eth2.5 when during DHCP transaction and make it available? In separate windows: tshark -i eth2 -s 1500 -w /tmp/eth2.pcap tshark -i eth2.5 -s 1500 -w /tmp/eth2.5.pcap and (re-)boot your client; then kill them and upload result somewhere. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrey Borzenkov wrote:
So far it simply sounds like DHCP requests are coming to your server via the wrong interface. Here's what I posted in an earlier message:
Here's an example. This arp cache shows the connections before I put the computer E520 on the VLAN. nexus7.xyz.net (172.16.1.95) at 08:60:6e:a8:96:0d [ether] on eth2 default (99.230.168.1) at 00:1f:ca:20:46:da [ether] on eth0 linux.xyz.net (172.16.1.10) at 00:15:f2:9c:a7:ac [ether] on eth2 E520.xyz.net (172.16.1.40) at 38:59:f9:e0:7d:5d [ether] on eth2 And after I put it on the VLAN and manually assign the IP address. nexus7.xyz.net (172.16.1.95) at 08:60:6e:a8:96:0d [ether] on eth2 default (99.230.168.1) at 00:1f:ca:20:46:da [ether] on eth0 ? (192.168.5.50) at 38:59:f9:e0:7d:5d [ether] on eth2.5 linux.xyz.net (172.16.1.10) at 00:15:f2:9c:a7:ac [ether] on eth2 E520.xyz.net (172.16.1.40) at <incomplete> on eth2 As you can see, the arp cache shows the computer as now on the VLAN eth2.5 with address 192.168.5.50. Since this is the router computer, that info is available to the DHCP server. The question mark in the host name is due to there not being any DNS entry for that IP address. Please note the MAC address 38:59:f9:e0:7d:5d. When it's connected to the main WiFi SSID, it shows up on eth2, with the IP address 172.16.1.40, as expected. When I connect to the VLAN SSID and manually assign the address 192.168.5.50, it's on eth2.5. Prior to changing the address, it still had the 172.16.1.40 address, but pinging anything returned unreachable. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrey Borzenkov wrote:
Show and explain your network topology for a start.
Also, the router configuration is eth2 172.16.1.1 /24 and eth2.5 192.168.5.1 /24 and the DHCP address pools are 172.16.1.0 /24 and 192.168.5.0 /24. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Andrey Borzenkov wrote:
Show and explain your network topology for a start. Also, the router configuration is eth2 172.16.1.1 /24 and eth2.5 192.168.5.1 /24 and the DHCP address pools are 172.16.1.0 /24 and 192.168.5.0 /24.
Almost forgot, the DHCP ranges on those subnets are 172.16.1.100 - 172.168.1.199 and 192.168.5.100 - 192.168.5.199. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrey Borzenkov wrote:
В Wed, 21 Aug 2013 22:33:47 -0400 James Knott <james.knott@rogers.com> пишет:
I have configured my openSUSE 11.4 firewall with a VLAN interface and a different subnet from my main one. I have configured the DHCP server with the new address range, but for some reason I still get the main subnet addresses assigned instead. I don't see any way to say which interface a DHCP range applies to. Is there anyway to configure the DHCP server so that the correct addresses are assigned on the VLAN interface?
This should just work assuming that your VLANs are indeed physically separate
VLANs are virtual, therefore _not_ physically separate. -- Per Jessen, Zürich (24.1°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Thu, 22 Aug 2013 18:49:17 +0200 Per Jessen <per@computer.org> пишет:
Andrey Borzenkov wrote:
В Wed, 21 Aug 2013 22:33:47 -0400 James Knott <james.knott@rogers.com> пишет:
I have configured my openSUSE 11.4 firewall with a VLAN interface and a different subnet from my main one. I have configured the DHCP server with the new address range, but for some reason I still get the main subnet addresses assigned instead. I don't see any way to say which interface a DHCP range applies to. Is there anyway to configure the DHCP server so that the correct addresses are assigned on the VLAN interface?
This should just work assuming that your VLANs are indeed physically separate
VLANs are virtual, therefore _not_ physically separate.
VLAN means separate L2 domain. I have seen enough people who were running several different networks over the same L2 domain and were sure they were using different VLANs. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrey Borzenkov wrote:
VLANs are virtual, therefore _not_ physically separate.
VLAN means separate L2 domain. I have seen enough people who were running several different networks over the same L2 domain and were sure they were using different VLANs.
Well, the VLANs I've worked with are the type described by 802.1q, with a tag applied to the Ethernet frame to specify VLAN and CoS options etc. Beyond the obsolete Cisco ISL, I'm not aware of any other VLAN, though similar could be obtained with MPLS, if switches supported it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Andrey Borzenkov -
James Knott -
Per Jessen