per-pool routers in dhcpd.conf?

glenn.satchell at uniq.com.au glenn.satchell at uniq.com.au
Sun Jul 26 02:46:27 UTC 2020 

Hi Alexis

You don't strictly need allow and deny caluses, since when you use an 
allow statement, everything else is implicity denied. There are also 
notes about not mixing allow and deny, since the logic doesn't always 
work the way you expect, even though the simpler case does seem to work.

          pool {
             range 192.168.1.101 192.168.1.150;
             allow known-clients;
             # deny unknown-clients;
         }

option routers *should* work in the pool, but config changes could use a 
different code path and mess this up I guess.

As someone else suggested, looking at the actual packets with tcpdump 
might be useful. Is it possible the client is caching the old gateway or 
something strange like that?

I also use the same logic at home to separate the younger kids to 
different IP ranges and proxy ACLs:

subnet 192.168.14.0 netmask 255.255.255.0 {
   option routers router.example.com.au;
   pool {
     allow known-clients;
     range 192.168.14.210 192.168.14.229;
   }
   pool {
     deny known-clients;
     range 192.168.14.230 192.168.14.245;
   }
}

regards,
-glenn

On 2020-07-26 00:23, Alexis Huxley wrote:
> Hi, I have dhcpd.conf at home containing:
> 
> 	host { ... }
> 	...
> 
> 	subnet 192.168.1.0 netmask 255.255.255.0 {
> 	    option routers 192.168.1.1;
> 	    option domain-name "pasta.net";
> 	    option domain-name-servers 192.168.1.21;
> 	    option ntp-servers time.pasta.net;
> 
>             #  1-100 are reserved for statically configured hosts.
> 
> 	    #  101-150 are reserved for known dynamic hosts (known because
> they're in host stanzas above).
>             #  e.g. my Android phone on wifi.
> 	    pool {
> 	        range 192.168.1.101 192.168.1.150;
> 	        allow known-clients;
> 	        deny unknown-clients;
> 	    }
> 
> 	    #  151-200 are for unknown dynamic hosts. e.g. visitors' phones on 
> wifi.
> 	    pool {
> 	        range 192.168.1.151 192.168.1.200;
> 	        allow unknown-clients;
> 	        deny known-clients;
> 	    }
> 	}
> 
> This works fine.
> 
> I now want to force 'known dynamic hosts'' to use a different gateway.
> 
> (In case you're curious: Since, when using wifi, my Android
> phone silently refuses to use the DNS server proposed by the above
> dhcpd.conf, I now want to change the phone's gateway to a masqueraing
> Linux box, where I can hopefully use iptables to force the phone to
> use the DNS server proposed by the DHCP server, and thereby block ads.)
> 
> The dhcpd.conf man page says:
> 
> 	In general, any parameter can appear anywhere that parameters
> 	are allowed, and will be applied according to the scope in which
> 	the parameter appears.
> 
> and I don't see anything special documented about 'option routers'.
> 
> So I thought this should work:
> 
>         subnet 192.168.1.0 netmask 255.255.255.0 {
>             #option routers 192.168.1.1;               <--- commented
> out at subnet level
> 	    ...
> 
>             pool {
>                 range 192.168.1.101 192.168.1.150;
>                 ...
>                 option routers 192.168.1.32;           <--- this is
> the different gateway
>             }
> 
>             pool {
>                 range 192.168.1.151 192.168.1.200;
>                 ...
>                 option routers 192.168.1.1;            <--- this is
> the original gateway
>             }
> 
> but it looks like *no* host gets told its gateway.
> 
> To confirm that it wasn't a problem with my new gateway itself, I
> put the original gateway in *both* pools, i.e. only the *location* of
> the router declaration changes compared to the original configuration:
> 
>         subnet 192.168.1.0 netmask 255.255.255.0 {
>             #option routers 192.168.1.1;               <--- commented
> out at subnet level
> 	    ...
> 
>             pool {
>                 range 192.168.1.101 192.168.1.150;
>                 ...
>                 option routers 192.168.1.1;            <--- this is
> the original gateway
>             }
> 
>             pool {
>                 range 192.168.1.151 192.168.1.200;
>                 ...
>                 option routers 192.168.1.1;            <--- this is
> the original gateway
>             }
> 
> The result was the same: no gateway.
> 
> My googles didn't turn up anything relevant and my experiments (using
> 'groups' failed), so any advice would be appreciated. I'm using
> isc-dhcp-server 4.4.1 on Debian 10. Thanks!
> 
> Alexis
> _______________________________________________
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> 
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users

More information about the dhcp-users mailing list