DHCP NAT (and Relay) and Static Addressing based on Option82/Circuit ID
Alan DeKok
aland at deployingradius.com
Tue Nov 22 14:46:40 CET 2016
On Nov 22, 2016, at 1:23 AM, Martin Edge <medge at emersion.com> wrote:
> I'm making progress - however I am facing a few roadblocks that I would like some guidance on if possible.
>
> *Packets forwarded from an internal network which are translated out to us and carry a DHCP-Relay-IP-Address*
> DHCP Requests that are being sent to us include a Relay-IP-Address - and implicitly the DHCP module seems to use this as an authority and attempts to return the packet to the Relay IP, not the source of the packet. I was able to comment out in the source (3.0.12) - "modules/proto_dhcp/dhcpd.c" on line 497 (where it sets a new destination IP address) - and the packet was returned to the originator. Obviously this is not the way I should be doing this - so any suggestions are welcome.
That may work for you, but it's wrong.
https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#DHCP_relaying
DHCP servers MUST respond to the relay IP address (giaddr). NOT to the source IP of the packet.
If you want to change this behaviour, don't edit the server source. Just do:
if (&DHCP-Relay-IP-Address) {
update request {
DHCP-Relay-IP-Address := "%{Packet-Src-IP-Address}"
}
}
> *DHCP IP Addressing from SQLIPool*
> I have the radippool (via dhcp_sqlippool) process able to extract an IP address based on the Circuit ID (Option 82) contained within the DHCP Packet.
>
> The challenge I have, is the IP addresses I am allocating (for the same provider, but we will also have multiple providers who use our system) - has different gateways based on the location of the service and the IP allocated. From what I can ascertain looking at the source code, the DHCP Pool functionality presently only deals with the returning of the Framed-IP-Address.
Yes.
If you're allocating multiple sets of IPs, you should set up multiple IP pools. Then, return service, options, etc. based on the DHCP pool. Not on the IP allocated.
> Looking at "modules/rlm_sqlippool/rlm_sqlippool.c" (line 580) - there is an object called 'inst' with a property called framed_ip_address. This is used to build a 'vp' and adds it to the reply.
>
> How would one go about providing database driven gateway/dns settings?
Put them into a database.
First, create the schema. Probably columns of Pool-Name, followed by columns of other DHCP settings. Then, set that.
You could probably tweak the main "sql" module to do this.
Alan DeKok.
More information about the Freeradius-Users
mailing list