EFW Support

Support => General Support => Topic started by: Gewuerzwiesel on Thursday 22 March 2012, 01:20:24 am


Title: Multiple Subnets in a single Zone
Post by: Gewuerzwiesel on Thursday 22 March 2012, 01:20:24 am
Hi there!

I have trouble with the configuration of the firewall, especially with the configuration of the DHCP service. I have read a bit in these forums and came to the conclusion, that my desired Network-layout does not work with endian. I have seen some hints, that I could hack the dhcp config, but no concrete examples.

What I need to achieve is, that I have several subnets in a zone (green and orange) which are separated by VLAN. In the attached graphic you can see the desired Layout. Every cloud represents a VLAN with its own subnet.

I'm open for every suggestion to solve my problem.

Regards
Gewuerzwiesel

Title: Re: Multiple Subnets in a single Zone
Post by: mrkroket on Friday 23 March 2012, 10:33:18 am
Do you want a DHCP server by VLAN and not by zone.
This is not what endian do. Your only option is to modify the DHCP template and adapt it to your needs.
But the DHCP webpage won't be very useful anymore, only for enabling/disabling DHCP server and leases.

Title: Re: Multiple Subnets in a single Zone
Post by: Gewuerzwiesel on Friday 23 March 2012, 09:40:22 pm
Thats what I want to do and what I have already read: Modify the DHCP template. Well, I'd like to, but how do I? I'm not sure how to get DHCP to provide different subnets basend on VLANs...

Title: Re: Multiple Subnets in a single Zone
Post by: David.Dejaeghere on Saturday 24 March 2012, 12:45:50 am
Hello Gewuerzwiesel,

This is fairly simple to do.

Just edit /etc/dhcpd.conf.tmpl

Code:
nano /etc/dhcpd.conf.tmpl

then after this section:
Code:
shared-network $zone.KEY {
    interface $zone.DEV;
    server-identifier $zone.ADDRESS;
    subnet $zone.NETADDRESS netmask $zone.NETMASK {
        #if $zone.ONLY_FIXEDLEASE != 'on'
        pool {
          #if $isFailover
            failover peer "HA";
          #end if
            deny dynamic bootp clients;
            range $zone.RANGE_START $zone.RANGE_END;
        }
        #end if
        default-lease-time $zone.DEFAULT_LEASE_TIME;
        max-lease-time $zone.MAX_LEASE_TIME;
        option subnet-mask $zone.NETMASK;
        #if $zone.DOMAIN_NAME
          option domain-name "$zone.DOMAIN_NAME";
        #end if
        #if $zone.GATEWAY != '':
          option routers $zone.GATEWAY;
        #else
          option routers $zone.ADDRESS;
        #end if
          option wpad "http://${zone.ADDRESS}/proxy.pac";
        #if $zone.DNS
          option domain-name-servers $zone.DNS;
        #end if
        #if $zone.NTP
          option ntp-servers $zone.NTP;
        #end if
        #if $zone.NETBIOS
          option netbios-name-servers $zone.NETBIOS;
        #end if
        #try
        #include "/var/efw/dhcp/custom_" + $zone.KEY + ".tpl"
        #except
        #pass
        #end try
    }

add this example and edit to fit your need

Code:
    subnet 192.168.100.0 netmask 255.255.255.0 {
        option subnet-mask 255.255.255.0;
        option domain-name "mydomain.local";
        option routers 192.168.100.1;
        option wpad "http://192.168.0.15/proxy.pac";
        option domain-name-servers 192.168.0.15;
        option ntp-servers 192.168.0.15;
    }

To seperate hosts to specific subnets you could use static dhcp entries using the web interface.

Title: Re: Multiple Subnets in a single Zone
Post by: Gewuerzwiesel on Saturday 24 March 2012, 01:50:22 am
Ok, I#ve tried something similar, but to no avail. Do I need to bind an ip-address to the vlan interfaces? Until now, I#ve just tried to bind 2 Adresses to the green bridge Interface.

Title: Re: Multiple Subnets in a single Zone
Post by: David.Dejaeghere on Monday 26 March 2012, 10:33:50 pm
You dont need vlans for my configuration. But ofcourse the dhcp server will not automatically use this extra subnet. You will need to assign ips to mac addresses using the web gui.
I have used this before for logical seperation of voip endpoints. All voip endpoints get a static ip in the extra subnet assigned by the dhcp server

Title: Re: Multiple Subnets in a single Zone
Post by: Gewuerzwiesel on Tuesday 27 March 2012, 09:16:04 pm
Well, but I need VLANs in our network. And assign ip addresses to macs is not an option, because I would have to maintain a list of several hundred ip addresses, which is far to much work.

Title: Re: Multiple Subnets in a single Zone
Post by: mrkroket on Wednesday 28 March 2012, 02:44:00 am
Just tweak the dhcp template as I said before, create zones, one for each VLAN you need.
It's better to make a backup of the template and create a file from scratch, adapted to your needs.
For each zone you can define on what interface it will be listening (even  VLAN interfaces).
You don't need leases for VLAN's, just a proper dhcp.conf

Code:
    subnet 192.168.100.0 netmask 255.255.255.0 {
        option subnet-mask 255.255.255.0;
        option domain-name "mydomain.local";
        option routers 192.168.100.1;
        option wpad "http://192.168.0.15/proxy.pac";
        option domain-name-servers 192.168.0.15;
        option ntp-servers 192.168.0.15;
        interface "eth0.2";
    }
This will set a DHCP server on VLAN 2 of interface eth0. It works because I used that on another Linux system. The config above will give DHCP addresses only on VLAN 2, neither on eth0 or on any other interface.
Do not define any DHCP server on the bridged interfaces if you already defined subnets on non-bridged interfaces ( e.g., if eth0.2 is part of GREEN=br0, do not set zones for both interfaces at the same time, it could lead to indefinitions).

Title: Re: Multiple Subnets in a single Zone
Post by: Gewuerzwiesel on Wednesday 28 March 2012, 06:19:10 pm
Ah ok, thats why my first attempt failed. But now it works like a charm :) Thank you!


Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media