Welcome, Guest. Please login or register.
Did you miss your activation email?
Thursday 05 December 2024, 03:51:49 pm

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Multiple Subnets in a single Zone
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Multiple Subnets in a single Zone  (Read 19417 times)
Gewuerzwiesel
Jr. Member
*
Offline Offline

Posts: 5


« on: Thursday 22 March 2012, 01:20:24 am »

Hi there!

I have trouble with the configuration of the firewall, especially with the configuration of the DHCP service. I have read a bit in these forums and came to the conclusion, that my desired Network-layout does not work with endian. I have seen some hints, that I could hack the dhcp config, but no concrete examples.

What I need to achieve is, that I have several subnets in a zone (green and orange) which are separated by VLAN. In the attached graphic you can see the desired Layout. Every cloud represents a VLAN with its own subnet.

I'm open for every suggestion to solve my problem.

Regards
Gewuerzwiesel
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #1 on: Friday 23 March 2012, 10:33:18 am »

Do you want a DHCP server by VLAN and not by zone.
This is not what endian do. Your only option is to modify the DHCP template and adapt it to your needs.
But the DHCP webpage won't be very useful anymore, only for enabling/disabling DHCP server and leases.
Logged
Gewuerzwiesel
Jr. Member
*
Offline Offline

Posts: 5


« Reply #2 on: Friday 23 March 2012, 09:40:22 pm »

Thats what I want to do and what I have already read: Modify the DHCP template. Well, I'd like to, but how do I? I'm not sure how to get DHCP to provide different subnets basend on VLANs...
Logged
David.Dejaeghere
Full Member
***
Offline Offline

Gender: Male
Posts: 17


« Reply #3 on: Saturday 24 March 2012, 12:45:50 am »

Hello Gewuerzwiesel,

This is fairly simple to do.

Just edit /etc/dhcpd.conf.tmpl

Code:
nano /etc/dhcpd.conf.tmpl

then after this section:
Code:
shared-network $zone.KEY {
    interface $zone.DEV;
    server-identifier $zone.ADDRESS;
    subnet $zone.NETADDRESS netmask $zone.NETMASK {
        #if $zone.ONLY_FIXEDLEASE != 'on'
        pool {
          #if $isFailover
            failover peer "HA";
          #end if
            deny dynamic bootp clients;
            range $zone.RANGE_START $zone.RANGE_END;
        }
        #end if
        default-lease-time $zone.DEFAULT_LEASE_TIME;
        max-lease-time $zone.MAX_LEASE_TIME;
        option subnet-mask $zone.NETMASK;
        #if $zone.DOMAIN_NAME
          option domain-name "$zone.DOMAIN_NAME";
        #end if
        #if $zone.GATEWAY != '':
          option routers $zone.GATEWAY;
        #else
          option routers $zone.ADDRESS;
        #end if
          option wpad "http://${zone.ADDRESS}/proxy.pac";
        #if $zone.DNS
          option domain-name-servers $zone.DNS;
        #end if
        #if $zone.NTP
          option ntp-servers $zone.NTP;
        #end if
        #if $zone.NETBIOS
          option netbios-name-servers $zone.NETBIOS;
        #end if
        #try
        #include "/var/efw/dhcp/custom_" + $zone.KEY + ".tpl"
        #except
        #pass
        #end try
    }

add this example and edit to fit your need

Code:
    subnet 192.168.100.0 netmask 255.255.255.0 {
        option subnet-mask 255.255.255.0;
        option domain-name "mydomain.local";
        option routers 192.168.100.1;
        option wpad "http://192.168.0.15/proxy.pac";
        option domain-name-servers 192.168.0.15;
        option ntp-servers 192.168.0.15;
    }

To seperate hosts to specific subnets you could use static dhcp entries using the web interface.
Logged
Gewuerzwiesel
Jr. Member
*
Offline Offline

Posts: 5


« Reply #4 on: Saturday 24 March 2012, 01:50:22 am »

Ok, I#ve tried something similar, but to no avail. Do I need to bind an ip-address to the vlan interfaces? Until now, I#ve just tried to bind 2 Adresses to the green bridge Interface.
Logged
David.Dejaeghere
Full Member
***
Offline Offline

Gender: Male
Posts: 17


« Reply #5 on: Monday 26 March 2012, 10:33:50 pm »

You dont need vlans for my configuration. But ofcourse the dhcp server will not automatically use this extra subnet. You will need to assign ips to mac addresses using the web gui.
I have used this before for logical seperation of voip endpoints. All voip endpoints get a static ip in the extra subnet assigned by the dhcp server
Logged
Gewuerzwiesel
Jr. Member
*
Offline Offline

Posts: 5


« Reply #6 on: Tuesday 27 March 2012, 09:16:04 pm »

Well, but I need VLANs in our network. And assign ip addresses to macs is not an option, because I would have to maintain a list of several hundred ip addresses, which is far to much work.
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #7 on: Wednesday 28 March 2012, 02:44:00 am »

Just tweak the dhcp template as I said before, create zones, one for each VLAN you need.
It's better to make a backup of the template and create a file from scratch, adapted to your needs.
For each zone you can define on what interface it will be listening (even  VLAN interfaces).
You don't need leases for VLAN's, just a proper dhcp.conf

Code:
    subnet 192.168.100.0 netmask 255.255.255.0 {
        option subnet-mask 255.255.255.0;
        option domain-name "mydomain.local";
        option routers 192.168.100.1;
        option wpad "http://192.168.0.15/proxy.pac";
        option domain-name-servers 192.168.0.15;
        option ntp-servers 192.168.0.15;
        interface "eth0.2";
    }
This will set a DHCP server on VLAN 2 of interface eth0. It works because I used that on another Linux system. The config above will give DHCP addresses only on VLAN 2, neither on eth0 or on any other interface.
Do not define any DHCP server on the bridged interfaces if you already defined subnets on non-bridged interfaces ( e.g., if eth0.2 is part of GREEN=br0, do not set zones for both interfaces at the same time, it could lead to indefinitions).
Logged
Gewuerzwiesel
Jr. Member
*
Offline Offline

Posts: 5


« Reply #8 on: Wednesday 28 March 2012, 06:19:10 pm »

Ah ok, thats why my first attempt failed. But now it works like a charm Smiley Thank you!
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.125 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com