Re: [Vyatta-users] DHCP
What are the destination addresses that are being forwarded? Broadcasts shouldn't be forwarded, but the router needs to know that they're broadcast addresses. It'll only recognize 10.1.255.255 and 10.2.255.255 as broadcast addresses. If a system is sending requests to, say, 10.1.12.255 where a system is set up as a /24, that address is recognized as a perfectly valid address and will be forwarded. Justin On Jan 22, 2008 1:01 PM, [EMAIL PROTECTED] wrote: I've set up a very basic router with only two interfaces: eth0 is my 10.1.0.0 subnet and eth1 is my 10.2.0.0 subnet. The router's default gateway is my Internet router. The subnets are in different buildings on our campus connected via a wireless link. I use them mainly in conjunction with Windows Server 2003 sites to control replication of the of the Active Directory and the Distributed File System set up for user home folders. Internet access, internal routing between my two subnets, and replication of the AD and DFS work fine. My problem is that dhcp request broadcasts are being forwarded to the 10.2.0.0 subnet from the 10.1.0.0 subnet. Each subnet has its own dhcp server (implemented on 2003 machines not the router). Hosts that should receive 10.1.x.x addresses are receiving 10.2.x.x addresses. dhcp forwarding is not configured on the router. My understanding from the documentation is that the router should automatically block broadcasts. I would appreciate any help in discovering what I'm missing. Below is my configuration. Thanks, Robert protocols { } policy { } interfaces { restore: false loopback lo { description: } ethernet eth0 { disable: false discard: false description: hw-id: 00:d0:b7:92:50:b7 duplex: auto speed: auto address 10.1.0.253 { prefix-length: 16 disable: false } } ethernet eth1 { disable: false discard: false description: hw-id: 00:d0:b7:92:9a:ab duplex: auto speed: auto address 10.2.0.1 { prefix-length: 16 disable: false } } } service { webgui { http-port: 80 https-port: 443 } } firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable } system { host-name: HSRouter domain-name: name-server 206.54.112.1 time-zone: Denver ntp-server 69.59.150.135 gateway-address: 10.1.0.254 login { user root { full-name: authentication { encrypted-password: $1$$Ht7gBYnxI1xCdO/JOnodh. } } user vyatta { full-name: authentication { encrypted-password: $1$$Ht7gBYnxI1xCdO/JOnodh. } } } package { auto-sync: 1 repository community { component: main url: http://archive.vyatta.com/vyatta; } } } ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] DHCP pool questions
Exactly. Why should anybody care? This is DHCP we're talking about. As long as a node receives a currently unused address from the pool, you're up and done. If you want to control the assignment of nodes to addresses, well, that's what static addressing is for. I do think it's a bit odd that the ISC DHCP server would allocate stuff from the end of the pool rather than the beginning, but that's perfectly legal, IMO. This is just a guess, but the ISC server may be using the hash table to try to reassign the same address back to the same client if it's still available. As new clients with new MAC addresses come in, they are assigned a new address in decreasing order, but when a client returns, it will be assigned the same address as before unless another client is using it. This probably helps eliminate accidental duplicate corner cases with things like laptops that go on and off net, machines that go into a low-power sleep state, etc. In a former company, we used the standard Windows Server DHCP server and I remember having some issues with duplicate addresses being handed out. I think the server always got it right, but I think clients would sometimes miss the fact that their lease had expired. You can't completely eliminate this problem if the client is buggy, but you can mitigate it if you try to hand out the same address to the same clients each time. -- Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aubrey Wells Sent: Sunday, January 13, 2008 9:39 PM To: Marat Nepomnyashy Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] DHCP pool questions From the dhcpd.conf (5) man page: quote The DHCP server generates the list of available IP addresses from a hash table. This means that the addresses are not sorted in any particular order, and so it is not possible to predict the order in which the DHCP server will allocate IP addresses. Users of previous versions of the ISC DHCP server may have become accustomed to the DHCP server allocating IP addresses in ascending order, but this is no longer possible, and there is no way to configure this behavior with version 3 of the ISC DHCP server. /quote So it looks like it is actually non-deterministic what IP you may receive. If you have a fresh dhcpd.leases file, you will initially get leases in descending order, but after a few are assigned and some are expired, it will become somewhat random(ish). This is how the ISC dhcpd daemon works (which happens to be the most popular (by far) linux dhcp daemon) and isnt specific to vyatta. If you install dhcpd on a redhat system, you'll see the exact same behavior. As for *why* this was done starting with v3 of dhcpd, I dunno. I'm curious as to why it leasing in descending order is a show-stopper for you? This seems like a (very) trivial thing to nitpick over. What difference does it make as long as your clients get addresses? -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 13, 2008, at 10:41 PM, Marat Nepomnyashy wrote: Hi Mike, As far as to why the DHCP server leases out IPs from the end of the block rather than from the beginning, I'm not sure myself. I just signed up for the ISC DHCP server mailing lists at http://www.isc.org/index.pl?/sw/dhcp/dhcp-lists.php and plan to ask the people on there this question as well. If you added a second dhcp pool for eth2, but it did not appear in '/opt/vyatta/config/dhcpd.conf', and you stil have the config and the 'dhcpd.conf' after that commit, then please include these files with your message. Thanks, Marat - Original Message - From: silvertip257 mailto:[EMAIL PROTECTED] To: Marat Nepomnyashy mailto:[EMAIL PROTECTED] ; vyatta-users@mailman.vyatta.com Sent: Sunday, January 13, 2008 6:54 PM Subject: Re: [Vyatta-users] DHCP pool questions Why cannot I take addresses out of the beginning of the block like I'd rather it do? How can I (without rewriting/modifying source code)? That would really stink to have to statically assign everything to make it the way (that it makes sense). It's great and all that it actually does assign an address and ' works ', but why not start at the beginning? From what Marat wrote, I understand that you've seen that behavior before - confirmed. Now, can it be changed? I won't try to start any wars here, but that would unfortunately be one reason I would not want to use Vyatta. Well that and the WAN dhclient that's in progress. I could have sworn (oh and I did commit it) that I added a config for a second dhcp pool (separate) for eth2, but voila it's gone when I check dhcpd.conf... Thanks, Mike On Jan 13, 2008 8:37 PM, Marat Nepomnyashy [EMAIL PROTECTED] wrote: Hi Mike, As far as I know, it is normal for the ISC DHCP server that the Vyatta router is using to lease out addresses starting from the last address of the DHCP lease block, I've seen this before. Not quite sure myself why ISC
Re: [Vyatta-users] DHCP pool questions
Yeah, that makes sense. I _wish_ I had a T1 or T3 ... I'd be broke in no time and I'd never use the 24/7 bandwidth! I've got a Cisco routing/switching class this semester, so I should be able to apply most of the knowledge from that class to Vyatta and take off! You guys haven't figured out how to put Vyatta on Cisco 2811s yet have you? Then I could have Vyatta in the lab in a covert package! ;) Kidding! ;) Mike On Jan 14, 2008 8:59 PM, Stig Thormodsrud [EMAIL PROTECTED] wrote: Ok, as long as your using dhcp for an ethernet interface it should be fine. Our WAN interfaces that we support are T1 and T3 serial interfaces using ppp or hdlc or frame-relay encapsulation and those would not support dhcp client since they are point to point. stig -- *From:* silvertip257 [mailto:[EMAIL PROTECTED] *Sent:* Monday, January 14, 2008 5:54 PM *To:* Stig Thormodsrud *Subject:* Re: [Vyatta-users] DHCP pool questions What should I call my connection to my residential ISP? To me it's a WAN connection [I could be wrong] and I need dhclient running on eth0 to successfully obtain an address without ticking off my ISP (sure I can statically assign it, but they [and eventually I] will not like it) -- hehe the nature of DHCP. I'm not running PPPoE. Just DHCP back to my ISP. I'll make some nice duplications/collisions for my ISP, that could nicely coincide with Dave's Win Server DHCP conflicts! Mike On Jan 14, 2008 4:31 PM, Stig Thormodsrud [EMAIL PROTECTED] wrote: Hi Mark, I'm curious when you say WAN dhcp. Most WAN is point to point and dhcp client wouldn't really apply. Are you talking about PPPoE? stig -- *From:* silvertip257 [mailto:[EMAIL PROTECTED] *Sent:* Sunday, January 13, 2008 8:53 PM *To:* Stig Thormodsrud *Subject:* Re: [Vyatta-users] DHCP pool questions Awesome - that's what I've been reading as I sift through the emails I get from the mailing list. Mike On Jan 13, 2008 11:24 PM, Stig Thormodsrud [EMAIL PROTECTED] wrote: Ø Well that and the WAN dhclient that's in progress. Dhcp client has already been committed to the development branch which means it'll be available in the next release (glendale) assuming the testing goes well. stig -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *silvertip257 *Sent:* Sunday, January 13, 2008 6:55 PM *To:* Marat Nepomnyashy; vyatta-users@mailman.vyatta.com *Subject:* Re: [Vyatta-users] DHCP pool questions Why cannot I take addresses out of the beginning of the block like I'd rather it do? How can I (without rewriting/modifying source code)? That would really stink to have to statically assign everything to make it the way (that it makes sense). It's great and all that it actually does assign an address and ' works ', but why not start at the beginning? From what Marat wrote, I understand that you've seen that behavior before - confirmed. Now, can it be changed? I won't try to start any wars here, but that would unfortunately be one reason I would not want to use Vyatta. Well that and the WAN dhclient that's in progress. I could have sworn (oh and I did commit it) that I added a config for a second dhcp pool (separate) for eth2, but voila it's gone when I check dhcpd.conf... Thanks, Mike On Jan 13, 2008 8:37 PM, Marat Nepomnyashy [EMAIL PROTECTED] wrote: Hi Mike, As far as I know, it is normal for the ISC DHCP server that the Vyatta router is using to lease out addresses starting from the last address of the DHCP lease block, I've seen this before. Not quite sure myself why ISC does it this way, maybe there is an assumption that the IPs at the end of the block are less likely to be already taken... When you write I have discovered that various parts have been separated from the main config, what do you mean? The DHCP server configuration file is '/opt/vyatta/etc/dhcpd.conf', not '/opt/vyatta/etc/dhcp.conf'. The configuration for eth2 should not show up there if you did not configure any DHCP leases for any of the subnets to which your the interface is connected. If you have additional questions, please send us snippets of your router configuration under hierarchies 'interfaces ethernet' and 'service dhcp-server'. Please also send the contents of '/opt/vyatta/etc/dhcpd.conf'. Thanks, Marat - Original Message - *From:* silvertip257 [EMAIL PROTECTED] *To:* vyatta-users@mailman.vyatta.com *Sent:* Saturday, January 12, 2008 4:36 PM *Subject:* [Vyatta-users] DHCP pool questions I've set up a complete vyatta system a few times, even with two versions ( 2.2 and 3.0). I'm currently working with 3.0 and I'm getting the same behavior as the last time. I setup a DHCP server on eth1, but when it hands out addresses, it always gives out the last address in the block (in this case
Re: [Vyatta-users] DHCP pool questions
Hi Mike, As far as to why the DHCP server leases out IPs from the end of the block rather than from the beginning, I'm not sure myself. I just signed up for the ISC DHCP server mailing lists at http://www.isc.org/index.pl?/sw/dhcp/dhcp-lists.php and plan to ask the people on there this question as well. If you added a second dhcp pool for eth2, but it did not appear in '/opt/vyatta/config/dhcpd.conf', and you stil have the config and the 'dhcpd.conf' after that commit, then please include these files with your message. Thanks, Marat - Original Message - From: silvertip257 To: Marat Nepomnyashy ; vyatta-users@mailman.vyatta.com Sent: Sunday, January 13, 2008 6:54 PM Subject: Re: [Vyatta-users] DHCP pool questions Why cannot I take addresses out of the beginning of the block like I'd rather it do? How can I (without rewriting/modifying source code)? That would really stink to have to statically assign everything to make it the way (that it makes sense). It's great and all that it actually does assign an address and ' works ', but why not start at the beginning? From what Marat wrote, I understand that you've seen that behavior before - confirmed. Now, can it be changed? I won't try to start any wars here, but that would unfortunately be one reason I would not want to use Vyatta. Well that and the WAN dhclient that's in progress. I could have sworn (oh and I did commit it) that I added a config for a second dhcp pool (separate) for eth2, but voila it's gone when I check dhcpd.conf... Thanks, Mike On Jan 13, 2008 8:37 PM, Marat Nepomnyashy [EMAIL PROTECTED] wrote: Hi Mike, As far as I know, it is normal for the ISC DHCP server that the Vyatta router is using to lease out addresses starting from the last address of the DHCP lease block, I've seen this before. Not quite sure myself why ISC does it this way, maybe there is an assumption that the IPs at the end of the block are less likely to be already taken... When you write I have discovered that various parts have been separated from the main config, what do you mean? The DHCP server configuration file is '/opt/vyatta/etc/dhcpd.conf', not '/opt/vyatta/etc/dhcp.conf'. The configuration for eth2 should not show up there if you did not configure any DHCP leases for any of the subnets to which your the interface is connected. If you have additional questions, please send us snippets of your router configuration under hierarchies 'interfaces ethernet' and 'service dhcp-server'. Please also send the contents of '/opt/vyatta/etc/dhcpd.conf'. Thanks, Marat - Original Message - From: silvertip257 To: vyatta-users@mailman.vyatta.com Sent: Saturday, January 12, 2008 4:36 PM Subject: [Vyatta-users] DHCP pool questions I've set up a complete vyatta system a few times, even with two versions (2.2 and 3.0). I'm currently working with 3.0 and I'm getting the same behavior as the last time. I setup a DHCP server on eth1, but when it hands out addresses, it always gives out the last address in the block (in this case 192.168.0.60 consistently). When finding the configuration, I have discovered that various parts have been separated from the main config - I don't know if it was that way in previous versions, but thought I'd mention it. Also, my DHCP server for eth2 does not show up in /opt/vyatta/etc/dhcp.conf ;; that's another issue that I'll have to solve after this one. My config for the DHCP server: shared-network Subnet1 { subnet 192.168.0.32 netmask 255.255.255.224 { not authoritative; default-lease-time 86400; max-lease-time 86400; range 192.168.0.34 192.168.0.60; } Thanks, Mike -- // SilverTip257 // == ~ · · /V\ // \\ /( )\ ^`~´^ ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users -- // SilverTip257 // == ~ · · /V\ // \\ /( )\ ^`~´^ -- // SilverTip257 // == ~ · · /V\ // \\ /( )\ ^`~´^ ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] DHCP pool questions
* Well that and the WAN dhclient that's in progress. Dhcp client has already been committed to the development branch which means itll be available in the next release (glendale) assuming the testing goes well. stig _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of silvertip257 Sent: Sunday, January 13, 2008 6:55 PM To: Marat Nepomnyashy; vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] DHCP pool questions Why cannot I take addresses out of the beginning of the block like I'd rather it do? How can I (without rewriting/modifying source code)? That would really stink to have to statically assign everything to make it the way (that it makes sense). It's great and all that it actually does assign an address and ' works ', but why not start at the beginning? From what Marat wrote, I understand that you've seen that behavior before - confirmed. Now, can it be changed? I won't try to start any wars here, but that would unfortunately be one reason I would not want to use Vyatta. Well that and the WAN dhclient that's in progress. I could have sworn (oh and I did commit it) that I added a config for a second dhcp pool (separate) for eth2, but voila it's gone when I check dhcpd.conf... Thanks, Mike On Jan 13, 2008 8:37 PM, Marat Nepomnyashy [EMAIL PROTECTED] wrote: Hi Mike, As far as I know, it is normal for the ISC DHCP server that the Vyatta router is using to lease out addresses starting from the last address of the DHCP lease block, I've seen this before. Not quite sure myself why ISC does it this way, maybe there is an assumption that the IPs at the end of the block are less likely to be already taken... When you write I have discovered that various parts have been separated from the main config, what do you mean? The DHCP server configuration file is '/opt/vyatta/etc/dhcpd.conf', not '/opt/vyatta/etc/dhcp.conf'. The configuration for eth2 should not show up there if you did not configure any DHCP leases for any of the subnets to which your the interface is connected. If you have additional questions, please send us snippets of your router configuration under hierarchies 'interfaces ethernet' and 'service dhcp-server'. Please also send the contents of '/opt/vyatta/etc/dhcpd.conf'. Thanks, Marat - Original Message - From: silvertip257 mailto:[EMAIL PROTECTED] To: vyatta-users@mailman.vyatta.com Sent: Saturday, January 12, 2008 4:36 PM Subject: [Vyatta-users] DHCP pool questions I've set up a complete vyatta system a few times, even with two versions (2.2 and 3.0). I'm currently working with 3.0 and I'm getting the same behavior as the last time. I setup a DHCP server on eth1, but when it hands out addresses, it always gives out the last address in the block (in this case 192.168.0.60 consistently). When finding the configuration, I have discovered that various parts have been separated from the main config - I don't know if it was that way in previous versions, but thought I'd mention it. Also, my DHCP server for eth2 does not show up in /opt/vyatta/etc/dhcp.conf ;; that's another issue that I'll have to solve after this one. My config for the DHCP server: shared-network Subnet1 { subnet 192.168.0.32 netmask 255.255.255.224 { not authoritative; default-lease-time 86400; max-lease-time 86400; range 192.168.0.34 192.168.0.60; } Thanks, Mike -- // SilverTip257 // == ~ · · /V\ // \\ /( )\ ^`~´^ _ ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users http://mailman.vyatta.com/mailman/listinfo/vyatta-users -- // SilverTip257 // == ~ · · /V\ // \\ /( )\ ^`~´^ -- // SilverTip257 // == ~ · · /V\ // \\ /( )\ ^`~´^ ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] DHCP relay
Thanks for your reply. Sorry, my mistake : not eth1 but eth0. (192.168.10.X) Eth2 - network with the DHCP Server on network 192.168.2.XXx The DHCP serve the scope (192.168.2.0) as well : here no problem the pc got their IP (see the log, after) and I would like that the DHCP server serve the scope 192.168.10.XX as well on the interfaces eth0 So on my windows server, I have a superScope with 2 scope (192.168.2.0 and 192.168.10.0) styohanes:~# tcpdump -n port 67 -i eth2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes 07:45:14.790263 IP 192.168.2.10.67 192.168.2.2.67: BOOTP/DHCP, Request from XXX, length 300 07:45:31.788526 IP 192.168.2.10.67 192.168.2.2.67: BOOTP/DHCP, Request from XXX, length 300 07:46:32.337900 IP 192.168.2.154.68 255.255.255.255.67: BOOTP/DHCP, Request from XXX333, length 300 07:47:15.884938 IP 0.0.0.0.68 255.255.255.255.67: BOOTP/DHCP, Request from XXX222, length 300 07:47:15.885338 IP 192.168.2.2.67 255.255.255.255.68: BOOTP/DHCP, Reply, length 300 07:47:28.896045 IP 0.0.0.0.68 255.255.255.255.67: BOOTP/DHCP, Request from XXX222, length 300 07:47:28.896468 IP 192.168.2.2.67 255.255.255.255.68: BOOTP/DHCP, Reply, length 300 07:50:50.781445 IP 192.168.2.10.67 192.168.2.2.67: BOOTP/DHCP, Request from XXX, length 300 07:50:53.777544 IP 192.168.2.10.67 192.168.2.2.67: BOOTP/DHCP, Request from XXX, length 300 So, the request is going to the DHCP server, but no reply from him. But it work fine for the mac XXX222 which is in the network 192.168.2.0 I think the problem is from my DCHP Server, How can you define a scope to reply to a router - link the Scope 192.168.10.0 to the router 192.168.10.1 ? Thanks for your help. only 6 hours on a DHCP problem, :-/ merci Damien On Dec 6, 2007 9:40 PM, Robyn Orosz [EMAIL PROTECTED] wrote: Hi Damien, What interface is the network connected to that you wish to serve DHCP addresses? You mention eth1 in your post, but I only see eth0 and eth2 configured for dhcp-relay. If you want to serve hosts behind eth1, you need to add eth1 to the dhcp-relay configuration. To make this more clear, if your win 2k3 server is configured with a DHCP scope for network 192.168.10.x, it will only serve requests made from the interface configured with 192.168.10.x. The dhcp-relay adds the IP address of the interface that requests are seen on into the BOOTP request packets so the DHCP server knows which scope to serve addresses to. Thank you, Robyn Troopy . wrote: Hello, Did you check the routing? i mean the DHCP server must be able to reach the client at the IP layer. I remember i forgot this when i wrote the DHCP openmaniak tutorial. (See the case study, i forgot set protocols static route 0.0.0.0/0next-hop 10.0.2.2) Bonne chance Troopy -- Original Message -- From: Dams [EMAIL PROTECTED] Date: Thu, 6 Dec 2007 18:01:08 +0700 Hello, I have a problem with the DHCP-relay Config: dhcp-relay { interface eth0 interface eth2 server 192.168.2.2 relay-options { } Eth0 conect to my DHCP server (win 2k3 Server) : 192.168.2.2 and Eth1 to a subnet : 192.168.10.X But the dhcp relay doesn't work X:~# tcpdump -n port 67 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 17:50:29.636059 IP 0.0.0.0.68 255.255.255.255.67: BOOTP/DHCP, Request from X, length 300 17:50:33.376048 IP 0.0.0.0.68 255.255.255.255.67: BOOTP/DHCP, Request from X, length 300 17:50:38.370026 IP 0.0.0.0.68 255.255.255.255.67: BOOTP/DHCP, Request from X, length 300 17:50:47.370767 IP 0.0.0.0.68 255.255.255.255.67: BOOTP/DHCP, Request from X, length 300 17:51:03.369141 IP 0.0.0.0.68 255.255.255.255.67: BOOTP/DHCP, Request from X, length 300 But If I add the MAC on static in my DHCP Server, it work fine. XXX:~# tcpdump -n port 67 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 17:11:28.052775 IP 0.0.0.0.68 255.255.255.255.67: BOOTP/DHCP, Request from X, length 300 17:11:28.053871 IP 192.168.10.1.67 255.255.255.255.68: BOOTP/DHCP, Reply, length 318 17:11:28.055461 IP 0.0.0.0.68 255.255.255.255.67: BOOTP/DHCP, Request from X, length 302 17:11:28.056391 IP 192.168.10.1.67 255.255.255.255.68: BOOTP/DHCP, Reply, length 318 What did I miss ? I follow the HowTo http://www.openmaniak.com/vyatta_case_dhcp.php#dhcp-process which is brilliant, thanks. The only differents is that my DHCP is not on the router, but on another PC. Do I need to add a route to define the DHCP Server? Do i need to add a data on
Re: [Vyatta-users] DHCP relay
Thanks Robyn, My config Internet - Untangle -- Switch and plug on the switch Vyatta Router, the network 192.168.2.0, and the DHCP Server Schema: X - Vyatta -- Network 192.168.10.0 Internet --- Untangle Gateway --- Switch X-- Network 192.168.2.0 + DHCP Server My config on vyatta protocols { snmp { community public { client 192.168.2.5 client 192.168.2.99 } trap-target 192.168.1.1 trap-target 192.168.10.1 contact: Network Administrator location: X } static { } } policy { } interfaces { loopback lo { address 10.0.0.65 { prefix-length: 32 } } ethernet eth0 { description: My Sub Net 10 hw-id: 00:03:47:06:39:9e address 192.168.10.1 { prefix-length: 24 } } ethernet eth1 { disable: true description: Not Working hw-id: 00:06:5b:a5:29:10 } ethernet eth2 { description: Interface Out hw-id: 00:0e:2e:98:18:80 address 192.168.2.10 { prefix-length: 24 } } } service { dhcp-relay { interface eth0 interface eth2 server 192.168.2.2 relay-options { } } nat { rule 1 { type: masquerade outbound-interface: eth2 } rule 2 { type: masquerade inbound-interface: eth2 outbound-interface: eth0 protocols: all source { network: 192.168.2.0/24 } destination { network: 192.168.10.0/24 } } } ssh { } webgui { } } firewall { } } system { host-name: X domain-name: .ac.id domain-search { domain X.ac.id } name-server 192.168.2.2 time-zone: GMT+7 ntp-server 69.59.150.135 gateway-address: 192.168.2.1 login { user root { authentication { encrypted-password: } } user vyatta { authentication { encrypted-password: } } user networkadmin { full-name: Network Administrator authentication { encrypted-password: plaintext-password: } } } package { repository community { component: main url: http://archive.vyatta.com/vyatta; } } options { } } The capture from a PC in the network 192.168.2.0 tshark -i eth2 port 67 and port 68 -Vn Frame 5 (342 bytes on wire, 342 bytes captured) Arrival Time: Dec 6, 2007 09:00:22.590416000 [Time delta from previous packet: 0.018551000 seconds] [Time since reference or first frame: 0.019484000 seconds] Frame Number: 5 Packet Length: 342 bytes Capture Length: 342 bytes [Frame is marked: False] [Protocols in frame: eth:ip:udp:bootp] Ethernet II, Src: MacRouterEth2 (MacRouterEth2), Dst: (XXX) Destination: (X) Address: (X) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factorydefault) Source: MAC (MacRouterEth2) Address: MacRouterEth2 (0MacRouterEth2) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factorydefault) Type: IP (0x0800) Internet Protocol, Src: 192.168.2.10 (192.168.2.10), Dst: 192.168.2.196 ( 192.168 .2.196) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) ..0. = ECN-Capable Transport (ECT): 0 ...0 = ECN-CE: 0 Total Length: 328 Identification: 0x (0) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 16 Protocol: UDP (0x11) Header checksum: 0x2377 [correct]
Re: [Vyatta-users] DHCP relay
Hi Damien, Thanks for the extra info. I think the problem may be due to your masquerade rules. Rule 1 is masquerading all traffic that leaves eth2. So, anything with a source address of 192.168.10.x will be changed to a source address of 192.168.2.10. Rule 2 looks like it's basically doing the reverse. Why do you have these masquerade rules configured? You shouldn't need any NAT for the 2 connected networks and this will confuse things as I think it may be doing now. Thanks, Robyn Dams wrote: Thanks Robyn, My config Internet - Untangle -- Switch and plug on the switch Vyatta Router, the network 192.168.2.0 http://192.168.2.0, and the DHCP Server Schema: X - Vyatta -- Network 192.168.10.0 http://192.168.10.0 Internet --- Untangle Gateway --- Switch X-- Network 192.168.2.0 http://192.168.2.0 + DHCP Server My config on vyatta protocols { snmp { community public { client 192.168.2.5 http://192.168.2.5 client 192.168.2.99 http://192.168.2.99 } trap-target 192.168.1.1 http://192.168.1.1 trap-target 192.168.10.1 http://192.168.10.1 contact: Network Administrator location: X } static { } } policy { } interfaces { loopback lo { address 10.0.0.65 http://10.0.0.65 { prefix-length: 32 } } ethernet eth0 { description: My Sub Net 10 hw-id: 00:03:47:06:39:9e address 192.168.10.1 http://192.168.10.1 { prefix-length: 24 } } ethernet eth1 { disable: true description: Not Working hw-id: 00:06:5b:a5:29:10 } ethernet eth2 { description: Interface Out hw-id: 00:0e:2e:98:18:80 address 192.168.2.10 http://192.168.2.10 { prefix-length: 24 } } } service { dhcp-relay { interface eth0 interface eth2 server 192.168.2.2 http://192.168.2.2 relay-options { } } nat { rule 1 { type: masquerade outbound-interface: eth2 } rule 2 { type: masquerade inbound-interface: eth2 outbound-interface: eth0 protocols: all source { network: 192.168.2.0/24 http://192.168.2.0/24 } destination { network: 192.168.10.0/24 http://192.168.10.0/24 } } } ssh { } webgui { } } firewall { } } system { host-name: X domain-name: .ac.id http://.ac.id domain-search { domain X.ac.id http://X.ac.id } name-server 192.168.2.2 http://192.168.2.2 time-zone: GMT+7 ntp-server 69.59.150.135 http://69.59.150.135 gateway-address: 192.168.2.1 http://192.168.2.1 login { user root { authentication { encrypted-password: } } user vyatta { authentication { encrypted-password: } } user networkadmin { full-name: Network Administrator authentication { encrypted-password: plaintext-password: } } } package { repository community { component: main url: http://archive.vyatta.com/vyatta; } } options { } } The capture from a PC in the network 192.168.2.0 http://192.168.2.0 tshark -i eth2 port 67 and port 68 -Vn Frame 5 (342 bytes on wire, 342 bytes captured) Arrival Time: Dec 6, 2007 09:00: 22.590416000 [Time delta from previous packet: 0.018551000 seconds] [Time since reference or first frame: 0.019484000 seconds] Frame Number: 5 Packet Length: 342 bytes Capture Length: 342 bytes [Frame is marked: False] [Protocols in frame: eth:ip:udp:bootp] Ethernet II, Src: MacRouterEth2 (MacRouterEth2), Dst: (XXX) Destination: (X) Address: (X) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory
Re: [Vyatta-users] DHCP relay in vif interfaces (vc3)
Thanks Marat, I will try it asap. Marat Nepomnyashy wrote: Hi Sergio, There is a limitation in the VC3 release in that only 'ethX' values can be specified for DHCP relay interfaces. This is due to overly stringent validation checks. I just opened a new bug on this: https://bugzilla.vyatta.com/show_bug.cgi?id=2473 A temporary work-around can be implemented using the attachments just added to Bug 2473. There is the attachment id 238 that should be copied over the runtime file '/opt/vyatta/share/xorp/templates/rl_dhcp.tp' on your router. You will also need to apply the patch in attachment id 239 to the runtime script file '/opt/vyatta/sbin/dhcrelay-starter.pl' to disable another validation check. You will have to reboot the router for the validation checks removals to take effect, so make sure you're running off a disk rather than CDROM, or the changes will be lost. Hope this works for now, -- Marat - Original Message - From: Sergio Garcia [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 14, 2007 4:34 AM Subject: [Vyatta-users] DHCP relay in vif interfaces (vc3) Hi all. I hope you can help me with this doubt :) I want to relay dhcp requests incoming from tree eth1 vif's to a dhcp server but Vyatta VC3 only allows me to select ethX interfaces (X goes from 0 to 23). Is it possible to do this? Launching dhcrelay manually is not a good solution, but if it is the only way I will accept. Thanks in advance ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users -- This mail has been sent through DS2 mail server ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] DHCP relay in vif interfaces (vc3)
Hi Sergio, There is a limitation in the VC3 release in that only 'ethX' values can be specified for DHCP relay interfaces. This is due to overly stringent validation checks. I just opened a new bug on this: https://bugzilla.vyatta.com/show_bug.cgi?id=2473 A temporary work-around can be implemented using the attachments just added to Bug 2473. There is the attachment id 238 that should be copied over the runtime file '/opt/vyatta/share/xorp/templates/rl_dhcp.tp' on your router. You will also need to apply the patch in attachment id 239 to the runtime script file '/opt/vyatta/sbin/dhcrelay-starter.pl' to disable another validation check. You will have to reboot the router for the validation checks removals to take effect, so make sure you're running off a disk rather than CDROM, or the changes will be lost. Hope this works for now, -- Marat - Original Message - From: Sergio Garcia [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 14, 2007 4:34 AM Subject: [Vyatta-users] DHCP relay in vif interfaces (vc3) Hi all. I hope you can help me with this doubt :) I want to relay dhcp requests incoming from tree eth1 vif's to a dhcp server but Vyatta VC3 only allows me to select ethX interfaces (X goes from 0 to 23). Is it possible to do this? Launching dhcrelay manually is not a good solution, but if it is the only way I will accept. Thanks in advance ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] DHCP/NAT/Firewall rules
Allan Leinwand wrote: Hi Tony, I believe that the established keyword should only allow connections from the Internet back into your network that have the TCP SYN ACK flags set. So, if I understand your DNAT rules correctly, it would only allow TCP SYN ACK packets back into your network with the destination ports you specified. Please see http://www.faqs.org/docs/iptables/tcpconnections.html for more on iptables. If I'm wrong (as I am apt to do these days :) I am sure someone will correct me I believe you are wrong. Look for my next message where I will go into more detail on why. Tony ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] DHCP/NAT/Firewall rules
Hi Tony, You should be able to put the allowed ports in the destination port-number/portname fields in the DNAT rule. This way, only packets with those destination ports will be DNATed and be able to access the 10.1.1.2 server. An-Cheng Tony Cratz wrote: I have set-up my OFR to use DHCP with an internal address space of 10.1.1.0/24. My OFR will receive my 71.159.206.0/29 on the IP of 71.140.62.22. So I'm using NAT to map 71.159.206.2 to 10.1.1.2 (as a bi-directional NAT). Now I want to have some rules (firewall?) to allow only a few ports to connect to the 71.159.206.2 (10.1.1.2) system such as SMTP, SSH, FTP, HTTP and a few others. The question I have is should these rules be defined as Firewall rules or as NAT rules? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] DHCP/NAT/Firewall rules
An-Cheng Huang wrote: Hi Tony, You should be able to put the allowed ports in the destination port-number/portname fields in the DNAT rule. This way, only packets with those destination ports will be DNATed and be able to access the 10.1.1.2 server. An-Cheng Tony Cratz wrote: I have set-up my OFR to use DHCP with an internal address space of 10.1.1.0/24. My OFR will receive my 71.159.206.0/29 on the IP of 71.140.62.22. So I'm using NAT to map 71.159.206.2 to 10.1.1.2 (as a bi-directional NAT). Now I want to have some rules (firewall?) to allow only a few ports to connect to the 71.159.206.2 (10.1.1.2) system such as SMTP, SSH, FTP, HTTP and a few others. The question I have is should these rules be defined as Firewall rules or as NAT rules? Thanks for the answer. background comment I have done a bit more readying since I sent the last two messages and found an old message to the list back in 10/2006 which mention about state {established: enable} thus answering the question about reflector lists. (note: this is not covered in the Configuration Guild, I had to read about it in the Command Reference to come close to understanding it). I also understand now that the firewalls really sit at the very edge on the interfaces. So in my above case I would need to use the 10.1.1.0/24 addresses in the rules. /background comment Now this brings up a couple of new question, if I have a firewall on eth1 (which would be the LAN interface) which uses reflector lists ( state {established: enable} ) and I specified the ports in my DNAT ... does this now 'punches' those ports through the firewall? Or are the ports now blocked by the firewall for any 'new' connections? Tony ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] DHCP/NAT/Firewall rules
Hi Tony, I believe that the established keyword should only allow connections from the Internet back into your network that have the TCP SYN ACK flags set. So, if I understand your DNAT rules correctly, it would only allow TCP SYN ACK packets back into your network with the destination ports you specified. Please see http://www.faqs.org/docs/iptables/tcpconnections.html for more on iptables. If I'm wrong (as I am apt to do these days :) I am sure someone will correct me Take care, Allan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Cratz Sent: Tuesday, October 02, 2007 2:30 PM To: [EMAIL PROTECTED] Subject: Re: [Vyatta-users] DHCP/NAT/Firewall rules An-Cheng Huang wrote: Hi Tony, You should be able to put the allowed ports in the destination port-number/portname fields in the DNAT rule. This way, only packets with those destination ports will be DNATed and be able to access the 10.1.1.2 server. An-Cheng Tony Cratz wrote: I have set-up my OFR to use DHCP with an internal address space of 10.1.1.0/24. My OFR will receive my 71.159.206.0/29 on the IP of 71.140.62.22. So I'm using NAT to map 71.159.206.2 to 10.1.1.2 (as a bi-directional NAT). Now I want to have some rules (firewall?) to allow only a few ports to connect to the 71.159.206.2 (10.1.1.2) system such as SMTP, SSH, FTP, HTTP and a few others. The question I have is should these rules be defined as Firewall rules or as NAT rules? Thanks for the answer. background comment I have done a bit more readying since I sent the last two messages and found an old message to the list back in 10/2006 which mention about state {established: enable} thus answering the question about reflector lists. (note: this is not covered in the Configuration Guild, I had to read about it in the Command Reference to come close to understanding it). I also understand now that the firewalls really sit at the very edge on the interfaces. So in my above case I would need to use the 10.1.1.0/24 addresses in the rules. /background comment Now this brings up a couple of new question, if I have a firewall on eth1 (which would be the LAN interface) which uses reflector lists ( state {established: enable} ) and I specified the ports in my DNAT ... does this now 'punches' those ports through the firewall? Or are the ports now blocked by the firewall for any 'new' connections? Tony ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] DHCP: not configured to listen on any interfaces!
Hello, Concerning the message not configured to listen on any interfaces! i configure an IP address on an interface and it's working now But i still don't see the exclude command. Thanks Troopy -- Original Message -- From: Troopy . [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 4 Sep 2007 09:52:08 +0200 Hello, I am sorry i have another question. This time not a stupid one (i hope) I don't find the dhcp exclude command too. This time i am looking at the right place, i am at the dhcp subnet level and cannot see the set exclude command. i can see everything like domain-name,start,default-router but not exclude second thing when i just confiugure the dhcp shared-network-name and the subnet,i have the following thing: not configured to listen on any interfaces! Did i miss something, i could try to play on the Debian and add DHCPDARGS=eth0 to the dhcp.conf file but i think this is not a solution Thanks again TRoopy -- Original Message -- From: Troopy . [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 4 Sep 2007 08:33:42 +0200 Thanks very much We though that set start and set stop were at the same config level. THANKS again TRoopy -- Original Message -- From: Marat Nepomnyashy [EMAIL PROTECTED] Date: Mon, 3 Sep 2007 21:26:47 -0700 Hello Troopy, The DHCP range stop address is specified under the DHCP range start address. Here's an example of a command to set the start and stop IPs of the DHCP range leased out on shared network named dhcp1: 'set service dhcp-server shared-network-name dhcp1 subnet 192.168.2.0/24 start 192.168.2.100 stop 192.168.2.200' If you do a 'show service dhcp-server', this is what the output would be: [EMAIL PROTECTED] show service dhcp-server shared-network-name dhcp1 { subnet 192.168.2.0/24 { start 192.168.2.100 { stop: 192.168.2.200 } } } Hope this works, let me know if you have any more problems. -- Marat - Original Message - From: Troopy . [EMAIL PROTECTED] To: vyatta-users@mailman.vyatta.com Sent: Monday, September 03, 2007 2:53 AM Subject: [Vyatta-users] DHCP settings Hello, We are trying VC2.2 with DHCP settings. We can use set start ip_address but not set stop ip_address, the command is not recognized. (!) When we try to commit with only set start ip_address, vyatta complains that set stop is not configured Thanks The Openmaniak Team, http://www.openmaniak.com We will try to release new tutorials on - DHCP (VC2 was bugged) - BGP (VC2 was bugged) - VRRP authentification (VC2 was bugged) - IPSec (new vc2.2 functionnality) __ Désirez vous une adresse éléctronique @suisse.com? Visitez la Suisse virtuelle sur http://www.suisse.com __ Désirez vous une adresse éléctronique @suisse.com? Visitez la Suisse virtuelle sur http://www.suisse.com ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users __ Désirez vous une adresse éléctronique @suisse.com? Visitez la Suisse virtuelle sur http://www.suisse.com __ Désirez vous une adresse éléctronique @suisse.com? Visitez la Suisse virtuelle sur http://www.suisse.com ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users __ Désirez vous une adresse éléctronique @suisse.com? Visitez la Suisse virtuelle sur http://www.suisse.com ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] DHCP ip address on ethernet interface
Hello Vyatta, I found vyatta for a few days and i installed it successfully on my box. It runs all fine and i updated it to the latest state. But i have a simple question, it ist possible to recive a dynamic ip from an dhcp server on an vyatta ethernet interface ? i didnt find a solution in the past ? ...like on linux dhclient eth0 best regards Michael Michael, DHCP client addressing on interfaces is a highly requested feature but it isn't yet in the software. We're working on some changes to the system that will get it there in a couple of releases. The actual feature itself it relatively trivial to implement using the standard DHCP client packages but it has to wait until we make some other changes to the way that interfaces are handled in the system such that we don't interfere with the DHCP operation. Unfortunately, this other work is taking longer that we'd like. Look for this change in a few months. In the mean time, feel free to add your vote to the list of top-requested enhancements on the wiki: http://www.vyatta.com/twiki/bin/view/Community/TopEnhancements -- Dave ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users