next »

[stramato]

can I do this?

LAN DHCP:
192.168.1.0/24
give IP address to anyone.

Virtual Interace VLAN1 on LAN DHCP:
10.69.69.0/24
Only serve DHCP from this interface when Mac Address is listed

I don't have VLAN switches.

Basically I just want a separate DHCP'd address subnet for a certain group of PC's, with known Mac's.

How can I tell the PC's (the ones that I know the Mac addresses) to use VLAN1's DHCP instead of the LAN DHCP service?

[wallabybob]

I don't know how to do what you asked.

What are you wanting to accomplish? There could well be other ways to accomplish what you want.

For example, if your LAN interface has 192.168.1.1/24 you could assign IP addresses 192.168.1.65 to 192.168.1.126 for DHCP use and tell DHCP to assign addresses in the range 192.168.1.129 to MAC address 1, 192.168.1.130 to MAC address 2 etc and have different firewall rules apply to the two different address ranges.

What are you wanting to accomplish with the two different IP address ranges?

[stramato]

i want 2 (or 3) separate subnets in the same physical network, so the separate subnet group will not "see" each other. As long as clients don't set their IP addresses statically.

this is far from an ideal design, but it's what the present network looks like. I don't want to "disturb" the present infrastructure, at least for the meantime while the VLAN Switches are being approved for budget.

[josey]

i want 2 (or 3) separate subnets in the same physical network, so the separate subnet group will not "see" each other. As long as clients don't set their IP addresses statically.

this is far from an ideal design, but it's what the present network looks like. I don't want to "disturb" the present infrastructure, at least for the meantime while the VLAN Switches are being approved for budget.

you can try with 3 nics, than you can set up 3 subnets, and DHCP on each of them, ALSO, you can set static ARP, and enter each macihne MAC address, so even if someone of users change IP address, it will not be able to comunicate with NIC

[jimp]

You cannot have multiple DHCP servers in the same physical LAN (or VLAN on managed switches). You either need separate switches or separate VLANs for each segment.

DHCP is broadcast, so anything in the same broadcast domain will see it.

Even if you could do that, it offers no security at all in terms of 'seeing' the other segment.

[stramato]

AH now I get it. Looks like i'll end up with this after all:


[switch for everybody] --- LAN1/subnet1 ---                                                    ---WAN1
                               --- LAN2/subnet2 --- [pfSense] --- Ethernet --- [pfSense] ---WAN2
                                ---LAN3/subnet3 ---                                                    ---WAN3
                                                                                                                ---WAN4


So let's say I have 3 user groups:
1. 192.168.0.0/24
2. 192.168.1.0/24
3. 192.168.2.0/24

And I know all their MAC Addresses.

How would I do these?
1. Tell LAN1 DHCP to serve IP addresses to Group 1 MAC Addresses
2. Tell LAN2 DHCP to serve IP addresses to Group 2 MAC Addresses
3. Tell LAN3 DHCP to serve IP addresses to Group 3 MAC Addresses
4. Don't give IP Addresses to unknown MAC's
5. Don't give unknown MAC's internet access

Also, does Squid support multi-LAN?

[josey]

switch---lan1---192.168.0.0
switch2---lan2(optx)---192.168.1.0
switch3---lan3(opty)---192.168.2.0

So let's say I have 3 user groups:
1. 192.168.0.0/24
2. 192.168.1.0/24
3. 192.168.2.0/24

And I know all their MAC Addresses.

How would I do these?
1. Tell LAN1 DHCP to serve IP addresses to Group 1 MAC Addresses
2. Tell LAN2 DHCP to serve IP addresses to Group 2 MAC Addresses
3. Tell LAN3 DHCP to serve IP addresses to Group 3 MAC Addresses
4. Don't give IP Addresses to unknown MAC's
5. Don't give unknown MAC's internet access

enable DHCP SERVER on each interface, with checked deny unknown clients and enable static arp entries
enter each MAC addres on specific interface dhcp list
this should do thing for you.

4 and 5 are related to same thing...
btw, why are you trying to setup 4 wans ?

[stramato]

switch---lan1---192.168.0.0
switch2---lan2(optx)---192.168.1.0
switch3---lan3(opty)---192.168.2.0

enable DHCP SERVER on each interface, with checked deny unknown clients and enable static arp entries
enter each MAC addres on specific interface dhcp list
this should do thing for you.

As much as I would like to have separate switches (or separate VLANs) for the different subnets, I'm afraid the present infrastructure does not permit me to do that, and I'm stuck figuring out a way to have separate subnets in a single, unmanaged physical switch.

Until the budget for VLAN Switches (and its implementation! The site is physically big. Tracing the cable termination will be a PITA) gets approved, I'm stuck with this setup.

btw, why are you trying to setup 4 wans ?

Load Balance for 4 ADSL lines.

[josey]

unfortunately i think then there is no much help for you

[danswartz]

Are these different groups really all mixed together?  If so, what an absolute nightmare.  Whoever "designed" this should be fired

[jimp]

AH now I get it. Looks like i'll end up with this after all:

If you think that will work on one physical segment, you still don't get it

How would I do these?
1. Tell LAN1 DHCP to serve IP addresses to Group 1 MAC Addresses
2. Tell LAN2 DHCP to serve IP addresses to Group 2 MAC Addresses
3. Tell LAN3 DHCP to serve IP addresses to Group 3 MAC Addresses
4. Don't give IP Addresses to unknown MAC's
5. Don't give unknown MAC's internet access

Even though you can tell DHCP to give static IPs as you see fit, you can't assign those clients a gateway in their own subnet like that.

4/5 Are possible with the 'deny unknown clients' and 'static arp' options - but static ARP is broken on 1.2.3. It works on 2.0 though.

Also, does Squid support multi-LAN?

Yes, but not multi-wan.

[karaluch]

Hi, I have similar problem becouse I need to design Network with two dhcp servers without VLANs

pfSesne Version: 2.0-BETA4 (i386) built on Mon Sep 20 21:39:12 EDT 2010 FreeBSD 8.1-RELEASE-p1

DHCP#1: eth1 192.168.1.254 192.168.1.0/24 192.168.1.1-192.168.1.99 with Deny unknown clients and Static DHCP table
DHCP#2: opt1 192.168.2.254 192.168.2.0/24 192.168.2.1-192.168.2.99

In ideal case: if the mac address is known host gets ip from dhcp#1 but in a different situation host gets address from dhcp#2

Problem is that i don't know how to set dhcp#1 like primary and static dhcp table in not the same like list of known clients
so when i have chosen "Deny unknown clients" and host in not known client, it doesn't get any address

[jimp]

Having two DHCP servers on the same network will not work.

However, I don't think that static IP mappings from DHCP have to be within the same subnet, so you might be able to just run the DHCP server on the segment for normal clients and have the static IP mappings for the other IPs...

But even if that could work, it's ugly. And really there is no good reason not to segment subnets on different interfaces/VLANs.