DHCP Server

From CafeWiki

Revision as of 19:25, 26 September 2009 by Admin (Talk | contribs)
(diff) ← Older revision | Current revision (diff) | Newer revision → (diff)
Jump to: navigation, search

When OpenVPN is used to create a virtual subnet spanning two or more physical networks, the use of DHCP on the spanned subnet can be a problem. It is desirable to have hosts on each physical network use the local router for internet access - there is a noticeable performance penalty when a host obtains an IP address, via the VPN, from a router on a different physical network. A picture might help:

Image:VPN and DHCP generic med.jpg

In this case, hosts on Network A set to obtain dynamic IP addresses may be served an address from either Router A or Router B, via the VPN bridge. Which DHCP server wins the race to serve an IP to any given host depends on things like network latency or data caching in hosts and switches. In any event, it's not deterministic. Note that the configuration shown requires that the two routers be carefully managed to ensure that the DHCP ranges served by each don't overlap.

A better solution is to set up a dedicated DHCP server on each physical network, allowing all the hosts to be set to dynamic, but serving out fixed IPs as required. This approach still requires careful management in that each DHCP server needs to be configured to respect the other DHCP server's dynamic ranges.

Image:VPN and DHCP dedicated.jpg

At first glance, this doesn't appear to improve the first situation as Host A can still be served an IP address from either DHCP server via the VPN. The improvement comes from the fact that router-based dhcp servers have only a subset of DHCP functionality. A full DHCP server installation on a dedicated server can make use of the full set of DHCP features, including the ability to assign fixed (i.e. pre-determined) IP addresses to specific hosts as identified by the host MAC address. Given careful configuration of the DHCP servers across the subnet, it can be ensured that each host uses its local router as its gateway.

While this approach can be a bit impractical in a home networking situation where physical computer are used for each server, it works very well in a virtualized environment. The DHCP server can be a dedicated VM running under ESXi.

Installation

Build a server (using, for example, ubuntu server edition on bare metal or as a VM, as desired) selecting only the SSH option during the install. Once the installation is complete, configure the DHCP server to have a static interface: 

nano /etc/network/interfaces

Edit the interfaces file as follows: 

# The primary network interface
auto eth0
# iface eth0 inet dhcp  # comment out the existing dynamic interface setup

iface eth0 inet static  #  add static interface setup for eth0
address 192.168.1.222   #  specify a static address for this dhcp server
netmask 255.255.255.0   #  netmask for a /24 subnet
gateway 192.168.1.1     #  IP address of the router on the local physical network

Install the DHCP service: 

apt-get install dhcp3-server

Edit the configuation file (see next section for details): 

nano /etc/dhcp3/dhcpd.conf

Restart the DHCP service to force changes to take effect: 

/etc/init.d/dhcp3-server restart

Note that the only devices on the subnet with static addresses will be the routers and the DHCP servers.

Configuration of the DHCP Servers

DHCP configuration can be quite complex, refer to the DHCP man page or an online resource such as this. DHCP configuration is managed in a dhcpd.conf file (typically located at /etc/dhcpd/conf). The configuration for each DHCP server is hierarchical in three layers:

  • Host configuration - settings applicable to individual hosts (takes precedence over any group or global configuration settings)
  • Group configuration - settings applicable to groups of hosts (takes precedence over any global configuration settings)
  • Global configuration - settings applicable to any host not configured at the host or group level

There are many options that can be configured and the precedence is at the option level, not the host level. Here is a sample of how a dhcpd.conf file can be configured: 

## DHCP Server Configuration file
subnet 192.168.1.0 netmask 255.255.255.0 # specify common subnet for all physical networks
{

# Default Gateway
	option routers              192.168.1.1;
	option subnet-mask          255.255.255.0;
	option domain-name          "example.com";
	option domain-name-servers  192.168.1.1;
	range                       192.168.1.100 192.168.1.124; # dynamically allocated IPs
	default-lease-time          86400;                       # i.e. 24 hours
	max-lease-time              86400;                       # i.e. 24 hours
	
	# example of a host on a local physical network with a 
	# fixed network address (allows the client to be set to 
	# dhcp, but always obtain the same IP address)
	
	host hostname1
	{
	   hardware ethernet           00:00:00:00:00:00; # use actual MAC
	   fixed-address               192.168.1.125;     # hostname1 always gets this IP
	   option routers              192.168.1.1;       # router in hostname1's local network
	   option domain-name          "example1.com";    # hostname1's local domain name
	   option domain-name-servers  192.168.1.1;       # hostname1's local name server
	}
	#End hostname1 configuration
	
	# example of a host on a remote physical network with a 
	# fixed network address, where the remote network is  
	# connected via VPN, but the internet access needs to be
	# through the router local (physically) to that host
	
	host hostname2
	{
	   hardware ethernet           00:00:00:00:00:00; # use actual MAC
	   fixed-address               192.168.1.126;     # hostname2 always gets this IP
	   option routers              192.168.1.2;       # router in hostname2's local network 
	   option domain-name          "example2.com";    # hostname2's local domain name
	   option domain-name-servers  192.168.1.2;       # hostname2's local name server
	}
	#End hostname2 configuration
	
}
#End Configuration File

Fixed addresses allow a device with a specified MAC address to always get the same IP address from the DHCP server, in this situation all DHCP servers must have the configuration coordinated such that all servers will assign the correct IP address and router to each host, no matter whether the host gets its address from the local DHCP server or another one via the VPN. This takes a bit of effort up front but allows each host to be configured for dynamic addresses.

This approach requires obtaining the MAC address for each host that needs a fixed IP. If there are more than a few hosts, using ifconfig can be onerous. A simple solution is to use nmap to port scan the entire network (that is the 192.168.1.0 subnet in the example above), then run 

arp -a

to obtain all the current IP and MAC addresses for the active hosts on the network.

Retrieved from "http://www.cagrippa.com/mediawiki/index.php/DHCP_Server"