DHCP server multiple gateways

Alan DeKok aland at deployingradius.com
Thu Oct 22 14:15:23 CEST 2020 

On Oct 21, 2020, at 5:41 PM, Ulisses Buonanni <ulisses.b at gmail.com> wrote:
> Need to know if it is possible and then I will appreciate some tips/howto
> guides.

  Yes, it's possible, with some caveats.  Your clear and descriptive message allows for a clear and descriptive response.  Instead of the usual "please run in debug mode" complaint.

  In short, you don't solve this via routing.  It might be possible, but it's likely going to be a pain.

  The best approach is to use VLANs.  You can create one VLAN per network segment.  Then use one SSID.  And when a user connects, assign him to the correct VLAN.

  Then because the users are on different network segments, routing automatically works.  Each VLAN has it's own set of IPs, default gateway, etc.  That avoids the issue of making DHCP depend on a RADIUS user name.  It also means that things like printers are site-local, and don't affect other sites.

  The downside is that if someone visits a different site, they won't be able to use the local printer.  But that may be a good thing, because they also can't see _any_ devices on that network.

> I'm wondering if it is possible to change all APs to use wpa2 enterprise in
> a way that freeradius (based on the username -not the mac address ) set IP
> range and gateway that user belong.

  Just use VLANs.  Then you can statically assign IPs, ranges, and gateways to each device.

  If you use routing, you'd have to find some way to assign IPs from range "A" at house "B", and then somehow (?) route a guest users packets from "B" to "A", and back again.  It's difficult, and prone to failures.

  An alternative is to just have guest networks at each location.  e.g. each location has a "10.0.12/24" network, which can get to the internet, but nothing else.  Anyone who isn't from the local site gets assigned an IP from the guest range.

  That means guests can't reach their "home" network.  But if they're visiting somewhere else, I suspect that accessing devices on the "home" network isn't that useful to them.

  It all depends on what you want to do.  If you want to separate "guest" and "home" traffic, a "guest" network works.  If you want each users *public* traffic to go through their own LTE/4g antenna, then VLANs are the best solution.

  Alan DeKok.

More information about the Freeradius-Users mailing list