Home / server / Questions / 512453
Accepted
HorusKol
Asked: 2013-06-01 20:24:08 +0800 CST

DHCP server with multiple scopes is issuing the wrong IPs to VLANs

  • 772

We're restructuring our network, and configured our router/dhcp server as follows:

# public internet connection
auto eth0
iface eth0 inet static
    address 192.168.10.10
    netmask 255.255.0.0
    gateway 192.168.0.1

# intranet
auto eth1
iface eth1 inet static
    address 10.0.0.1
    netmask 255.128.0.0

# DHCP relay for WLAN
auto eth2
iface eth2 inet static
    address 10.254.0.1
    netmask 255.255.0.0

# DHCP relay for VPN
auto eth3
iface eth3 inet static
    address 10.253.0.1
    netmask 255.255.0.0

The DHCP server is set to listen on eth1, eth2 and eth3, and configured with the following scopes:

subnet 10.0.0.0 netmask 255.128.0.0 {
    range 10.100.0.0 10.100.255.255;
    option routers 10.0.0.1;
}

subnet 10.254.0.0 netmask 255.255.0.0 {
    range 10.254.1.0 10.254.255.255;
    option routers 10.254.0.1;
}

subnet 10.253.0.0 netmask 255.255.0.0 {
    range 10.253.0.0 10.253.255.255;
    option routers 10.253.0.1;
}

So - wireless devices connect to our Wi-Fi routers. Each Wi-Fi router is statically address (example, 10.254.0.2 with the gateway set to 10.254.0.1). However, the devices connecting via Wi-Fi are getting VPN addresses (10.253.0.0).

Also - desktop computers, which I want to be in the 10.100.x.x range are also getting VPN addresses.

This is on Ubuntu 12.04.

All the documentation I've found out on the internet indicates that this is correctly configured - but I figure that I must have missed something.

networking

1 Answers

  1. Best Answer

    I'm afraid that my question and Stemen's comment above pretty much sum it up, but I thought I'd spell it out, anyway: VLANs are not the same as subnets. Before any new device gets an IP address neither it, not the network, nor the DHCP server, has any idea what subnet your plan think it should end up on, so the device just makes a general-purpose DHCP broadcast and gets satisfied by the DHCP server's "default" range, which appears to be 10.253/16.

    You have two choices:

    1. You can physically and logically reconfigure your network, provided you have a manageable switch infrastructure, with VLANs. This introduces a logical separation between the network ports that are used by devices on the wireless subnet, by those on the VLAN subnet, and by those on the desktop subnet. The DHCP server will need to be told about the VLANs, and will need a different logical network device on each of them; the switch will have to allow packets from the DHCP server to be tagged according to which VLAN they're in. You will need to know your switch infrastructure intimately, and read up about VLANs and 802.1q tagging , if you want to do this.
    2. You can configure the DHCP server with a list of the MAC addresses that are specific to each subnet, and then when a device that the server has been so told should be on a particular subnet appears, it is offered a DHCP lease from the appropriate pool instead of the default pool.

    Neither of these is a maintenance-free option, but I find that (1) involves most of the effort up-front, while (2) involves much of the effort ongoing, as new devices come and go from your network.

    Edit: HorusKol, I take your point in the comment below: but note that the VPN range is the default right now, so you could still go for option (2) as long as you can itemise all the hosts on the desktop and wireless subnets. All other devices can be left to get their addresses from the VPN pool as a matter of default.

    • 2