1. Forum
  2. Usenet
  3. LINUX.DEBIAN.MAINT.FIREWA

  • dhcp addresses from pool only to specific devices

    From Leonardo Boselli@21:1/5 to All on Fri Mar 19 01:10:02 2021
    I have often set isc-dhcpd to give to each device its address, or to any
    device from a pool of addresses.
    Now the number of "auathorized" devices has grown a lot (more than 300)
    but the pool is only about 90 addrresses. I know that is impossible that
    were active more than that number, and normally will be only around 40
    ones, but i cannot give a fixed address to each one, since i cannot know
    if a certain couple will be presetn at same time, so i have to use a pool,
    on the other side i need to give access only to machines known , so i have
    to resort on other system.
    Looking at manual I should declare a class of allowed users (that is mac addresses) and allow only them to use a public address, while assinging to other ones a private one.
    What is NOT clear to me is how to set a class including some hundreds mac addresses ... since all the examples I have seen use matches or other
    cases.
    any hint ?
    --
    Leonardo Boselli
    Università di Firenze
    tel:+39 0552758808 +39 3488605348

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Leonardo Boselli@21:1/5 to Dan Ritter on Fri Mar 19 14:30:02 2021
    It was more or less my idea, but was not sure about the syntax but in documentatin was not completely clear
    and also, how much can be the list long ?
    (Yes, I have the mac addresses in a database)
    thank you for the clarification.

    On Fri, 19 Mar 2021, Dan Ritter wrote:
    If you want special treatment for some clients, you need to be
    able to identify them. Either they can all supply a parameter in
    their DHCP request -- if you control their configuration, this
    is reasonable -- or you need to maintain a list of MAC
    addresses.

    // Here is the list of MAC addresses, assigning a class:

    subclass "allocation-class-1" 1:8:0:2b:4c:39:ad;
    subclass "allocation-class-1" 1:8:0:2b:a9:cc:e3;
    subclass "allocation-class-1" 1:0:0:c4:aa:29:44;
    ...
    ...
    ...
    subclass "allocation-class-1" 1:0:0:c2:aa:23:4a;

    // and here is how they are treated differently:

    subnet 10.0.0.0 netmask 255.255.255.0 {
    pool {
    allow members of "allocation-class-1";
    deny unknown-clients;
    range 10.0.0.11 10.0.0.50;
    }
    pool {
    allow unknown-clients;
    range 10.0.0.51 10.0.0.100;
    }

    }

    Or they can go to different subnets instead of pools of
    the same one.

    I recommend putting the class definitions in one or more
    include files, with comments about human-identifiable info.
    If you have a database system that tracks things like this,
    it's a good idea to have it produce these include files
    for you every hour or day or whatever matches your needs.

    -dsr-


    --
    Leonardo Boselli
    Università di Firenze
    tel:+39 0552758808 +39 3488605348

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dan Ritter@21:1/5 to Leonardo Boselli on Fri Mar 19 14:40:01 2021
    Leonardo Boselli wrote:
    I have often set isc-dhcpd to give to each device its address, or to any device from a pool of addresses.
    Now the number of "auathorized" devices has grown a lot (more than 300) but the pool is only about 90 addrresses. I know that is impossible that were active more than that number, and normally will be only around 40 ones, but
    i cannot give a fixed address to each one, since i cannot know if a certain couple will be presetn at same time, so i have to use a pool, on the other side i need to give access only to machines known , so i have to resort on other system.
    Looking at manual I should declare a class of allowed users (that is mac addresses) and allow only them to use a public address, while assinging to other ones a private one.
    What is NOT clear to me is how to set a class including some hundreds mac addresses ... since all the examples I have seen use matches or other cases. any hint ?

    If you want special treatment for some clients, you need to be
    able to identify them. Either they can all supply a parameter in
    their DHCP request -- if you control their configuration, this
    is reasonable -- or you need to maintain a list of MAC
    addresses.

    // Here is the list of MAC addresses, assigning a class:

    subclass "allocation-class-1" 1:8:0:2b:4c:39:ad;
    subclass "allocation-class-1" 1:8:0:2b:a9:cc:e3;
    subclass "allocation-class-1" 1:0:0:c4:aa:29:44;
    ...
    ...
    ...
    subclass "allocation-class-1" 1:0:0:c2:aa:23:4a;

    // and here is how they are treated differently:

    subnet 10.0.0.0 netmask 255.255.255.0 {
    pool {
    allow members of "allocation-class-1";
    deny unknown-clients;
    range 10.0.0.11 10.0.0.50;
    }
    pool {
    allow unknown-clients;
    range 10.0.0.51 10.0.0.100;
    }

    }

    Or they can go to different subnets instead of pools of
    the same one.

    I recommend putting the class definitions in one or more
    include files, with comments about human-identifiable info.
    If you have a database system that tracks things like this,
    it's a good idea to have it produce these include files
    for you every hour or day or whatever matches your needs.

    -dsr-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dan Ritter@21:1/5 to Leonardo Boselli on Fri Mar 19 15:30:01 2021
    Leonardo Boselli wrote:
    It was more or less my idea, but was not sure about the syntax but in documentatin was not completely clear and also, how much can be the list
    long ?
    (Yes, I have the mac addresses in a database)

    The list can easily be hundreds or thousands; if you
    need more than 10,000 or so, you have a different class of
    problem.

    -dsr-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)