Shared Network Behind a Relay

Jeffrey Hutzelman jhutz at
Tue Nov 4 01:44:07 UTC 2008

--On Monday, November 03, 2008 04:54:19 PM -0700 commo dore 
<commonanog at> wrote:

> Ive been looking for a while on this issue, and I havent had much luck
> Basic concept is a centralized DHCP Server
> Known users      -->
>                                   (eth2) Router A
> (eth1)-------------------->(eth1) DHCP Server
> Unknown Users --->

This diagram makes no sense.  But then, ASCII art seldom does when the 
artist was not using a fixed-width font.  Fortunately, your description is 
fairly clear.

> I want to assign unknown users an iprange of untill they are
> added to known lists then they will get an ip in the public ip range(ie
> A.B.0.0/24)
> Basicly an unkown users can only reach internal devices, and cant "go out"
> to the public internet
> so something like this:
> shared-network test {
>         subnet A.B.0.0 netmask {
>                 option routers A.B.0.1;
>                 range A.B.0.200 A.B.0.210;
>                 deny unknown-clients;
>         }
>         subnet netmask {
>                 option routers;
>                 range;
>                 allow unknown-clients;
>         }
> }
> Now Router A
> eth2 A.B.0.1
> eth2:0
> DHCP Server
> eth1 A.B.0.100
> So whenever the Relay on Router A forwards the request the giaddr is
> A.B.0.1 so it only wants to assign an ip address back in that range. (and
> that works just fine).  Somehow I need to set it so that if giaddr is
> A.B.0.1 and its an unknown host then assign it in the public range.

The configuration you've described should do that.

The DHCP server doesn't care what subnet the giaddr is in; in only cares 
what shared-network it is in.  So, if your router always sets giaddr to 
A.B.0.1, the DHCP server will know the client is on the "test" 
shared-network, and can/will assign addresses out of any pool on that 
shared-network which is available to the client.

You've said that your DHCP server's interface has address A.B.0.100, which 
is on the same A.B.0.0/24 subnet as your clients.  If the DHCP server is 
really connected to that network, you shouldn't need a relay agent at all.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at>
   Carnegie Mellon University - Pittsburgh, PA

More information about the dhcp-users mailing list