DHCP NAT (and Relay) and Static Addressing based on Option82/Circuit ID
Martin Edge
medge at emersion.com
Wed Nov 23 01:47:55 CET 2016
Hi Alan,
Thanks for your reply.
-DHCP Relay issue-
Totally agree against modifying the source! It was a temporary path of desperation to fit inside restrictive timelines :)
The change you have suggested - where in the many configuration files would that go?
I have attempted to put it in sites-enabled/dhcp and in mods-enabled/preprocess - which parses fine, but essentially seems to do nothing. I've removed the if condition in case something was going weird there.
update request {
DHCP-Relay-IP-Address := "%{Packet-Src-IP-Address}"
}
What's the difference between the ampersand at the front and not? And using ':=' versus '='?
Best case scenario I would probably want to put something specific for this customer versus breaking the rules all the time, for instance
If (&DHCP-Relay-IP-Address && "%{Packet-Src-IP-Address}" == "x.x.x.x") {
update request {
DHCP-Relay-IP-Address := "%{Packet-Src-IP-Address}"
}
}
-DHCP Settings-
OK. When you say 'sql' module, can I have you elaborate a little on that? As in modify the SQL module itself or is there something I should be able to do leveraging existing functionality?
Is there some documentation or reference that would be worth me reading to figure this out?
I see the definition of a table 'usergroup_table' for instance, but I'm unable to see how it all stitches together.
Also not sure if this suggests I might be taking the wrong path - presently the 'Pool' I'm using is actually not really a pool, it's a 1:1 between Circuit ID (Service) and the IP address.
Thanks again,
Martin.
On Nov 22, 2016, at 1:23 AM, Martin Edge <medge at emersion.com> wrote:
> I'm making progress - however I am facing a few roadblocks that I would like some guidance on if possible.
>
> *Packets forwarded from an internal network which are translated out
> to us and carry a DHCP-Relay-IP-Address* DHCP Requests that are being sent to us include a Relay-IP-Address - and implicitly the DHCP module seems to use this as an authority and attempts to return the packet to the Relay IP, not the source of the packet. I was able to comment out in the source (3.0.12) - "modules/proto_dhcp/dhcpd.c" on line 497 (where it sets a new destination IP address) - and the packet was returned to the originator. Obviously this is not the way I should be doing this - so any suggestions are welcome.
That may work for you, but it's wrong.
https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#DHCP_relaying
DHCP servers MUST respond to the relay IP address (giaddr). NOT to the source IP of the packet.
If you want to change this behaviour, don't edit the server source. Just do:
if (&DHCP-Relay-IP-Address) {
update request {
DHCP-Relay-IP-Address := "%{Packet-Src-IP-Address}"
}
}
> *DHCP IP Addressing from SQLIPool*
> I have the radippool (via dhcp_sqlippool) process able to extract an IP address based on the Circuit ID (Option 82) contained within the DHCP Packet.
>
> The challenge I have, is the IP addresses I am allocating (for the same provider, but we will also have multiple providers who use our system) - has different gateways based on the location of the service and the IP allocated. From what I can ascertain looking at the source code, the DHCP Pool functionality presently only deals with the returning of the Framed-IP-Address.
Yes.
If you're allocating multiple sets of IPs, you should set up multiple IP pools. Then, return service, options, etc. based on the DHCP pool. Not on the IP allocated.
> Looking at "modules/rlm_sqlippool/rlm_sqlippool.c" (line 580) - there is an object called 'inst' with a property called framed_ip_address. This is used to build a 'vp' and adds it to the reply.
>
> How would one go about providing database driven gateway/dns settings?
Put them into a database.
First, create the schema. Probably columns of Pool-Name, followed by columns of other DHCP settings. Then, set that.
You could probably tweak the main "sql" module to do this.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list