Server only for relayed requests, not broadcasts

Rob Janssen rob at ision.nl.eu.org
Wed Apr 24 08:40:42 UTC 2019


I have a machine with 2 network interfaces.
ens224 is on a local network 192.168.1.0/26 where it has to handle DHCP requests.
ens192 is on a different network 172.22.16.0/21 internal to the company where it is connected to a router.
On another location, there is a relay agent that forwards DHCP requests on a VLAN 192.168.1.64/28  to this server.
These come in on ens192 but the DHCP server should NOT handle local requests on ens192, only those forwarded requests.
(local DHCP on the network connected to ens192 is handled by another server, also via a relay agent)

The forwarded DHCP requests are sent to the machine's IP on ens224 (the router knows to forward them to this machine),
however it appears that it is impossible to listen on an interface only for handling forwarded requests.  Is that true?

So I have included a dummy section for ens192 like this:

subnet 172.22.16.0 netmask 255.255.248.0 {
   deny unknown-clients;
   deny client-updates;
   not authoritative;
}

Not sure if the deny rules are really required, but the "not authoritative;" is, because the server
would reply to requests and informs when it is not there, even with no address pool available.
(there is an "authoritative" option in the global configuration)

Even with this config, the server is logging requests that it simply should not see, like:

Apr 24 10:02:47 unifi dhcpd[827]: DHCPDISCOVER from 00:8c:fa:d6:08:5f via ens192: network 172.22.16.0/21: no free leases
Apr 24 10:02:47 unifi dhcpd[827]: DHCPREQUEST for 172.22.18.199 (10.175.176.150) from 00:8c:fa:d6:08:5f via ens192: unknown lease 172.22.18.199.
Apr 24 10:02:48 unifi dhcpd[827]: DHCPINFORM from 172.22.18.199 via ens192: not authoritative for subnet 172.22.16.0
Apr 24 10:02:48 unifi dhcpd[827]: DHCPINFORM from 172.22.18.199 via ens192: not authoritative for subnet 172.22.16.0

and frequently it inserts this nagging section:

Apr 24 10:02:48 unifi dhcpd[827]: If this DHCP server is authoritative for that subnet,
Apr 24 10:02:48 unifi dhcpd[827]: please write an `authoritative;' directive either in the
Apr 24 10:02:48 unifi dhcpd[827]: subnet declaration or in some scope that encloses the
Apr 24 10:02:48 unifi dhcpd[827]: subnet declaration - for example, write it at the top
Apr 24 10:02:48 unifi dhcpd[827]: of the dhcpd.conf file.

Is there really no way for ISC DHCPD to receive forwarded requests on an interface (in this case, directed to 192.168.1.1 which
is the local address on ens224 which has a valid subnet declaration), without receiving broadcasts as well?

I even tried an nftables filter:

nft add table netdev filter
nft -- add chain netdev filter input { type filter hook ingress device ens192 priority -500 \; policy accept \; }
nft add rule netdev filter input iifname ens192 ip daddr != 192.168.1.1 udp dport 67 counter drop

This catches the "wrong" packets, counter increases, but DHCPD still sees them.
Version is: isc-dhcpd-4.3.5  (Debian Stretch)

Rob



More information about the dhcp-users mailing list