OPNsense Forum

Hi all,

I'm currently running FreeBSD with PF as my current firewall and I'm using ISC-DHCPD as the DHCP server for all my networks. Since my core switch is taking care of the internal VLANs routing, then there is a /30 link to connect to the firewall.

With the setup above my DHCP server is configured with multiple subnets (not directly connected to it) and the core switch is relaying DHCP request from all the networks.

I'm thinking to switch back to OPNsense but I see that is not possible to assign multiple subnets to the DHCP scope if they're not directly assigned to it. Looking around I've seen few posts here and there in regards to the "issue" and a PR ticket on GitHub that never got resolved.

Does anyone know if this feature will ever appear in any future OPNsense release? They are using the same DHCP daemon so I'm not sure where the limitation is on the OPNsense side.

Thank you!
tofaz

Up

Can you show us an example of your existing config (FreeBSD host)?
And maybe you can post a link to that PR on GitHub?


authoritative;
default-lease-time 7200;
max-lease-time 14400;

subnet 172.16.200.0 netmask 255.255.255.252 {
}

# TOFA network

subnet 172.16.100.0 netmask 255.255.255.0 {
  range 172.16.100.150 172.16.100.250;
  option domain-name-servers 172.16.200.1;
  option domain-name "tofanos.com";
  option routers 172.16.100.254;
  option subnet-mask 255.255.255.0;
  option tftp-server-address 172.16.100.40;
}

# LAB1 network

subnet 172.16.101.0 netmask 255.255.255.0 {
  range 172.16.101.200 172.16.101.250;
  option domain-name-servers 172.16.200.1;
  option domain-name "lab1.tofanos.com";
  option routers 172.16.101.254;
  option subnet-mask 255.255.255.0;
}

Here the link to the PR: https://github.com/opnsense/plugins/issues/1105 (https://github.com/opnsense/plugins/issues/1105)

You have to Install Freeradius Plugin an use the DHCP service there (prior disable the other one)

Thanks for the tip!

I tried and the freeradius daemon doesn't even start, with nothing present in the log. I will dig in more later when I'll have time.

But for OPNsense DHCPD do you know why the same daemon doesn't have a functionality implemented? I'm sure lots of companies have this scenario in their infrastructures.

Lack of the DHCP software itself.

Via CLI

radiusd -x

> Lack of the DHCP software itself.

FreeRadius or ISC-DHCPD? If the second one it works like a charm on its own.

Quote from: tofaz on November 06, 2020, 08:07:01 PM
> Lack of the DHCP software itself.

FreeRadius or ISC-DHCPD? If the second one it works like a charm on its own.

No, it cant handle subnets which are not connected, in fact the FreeBSD version. No idea about Linux

It does, the config I have posted above is isc-dhcp44-server-4.4.2_1 on FreeBSD 12.2 and I have leases in 2 networks using one network interface and 1 subnet defined.

You just need to at least declare the attached network, even without a pool of addresses.

Ah ok, had it wrong in my mind, was nearly 2 years ago I implemented it with FR

OPNsense 20.7.4 has the same ISC-DHCPD version so I am not sure why it lacks of a standard functionality.

I think it would require a lot of work for code refactoring.

I guess it due to the unification of config/lease files and GUI because OPNsense runs the same daemon. Maybe it's the way the GUI needs to show the different leases in different subnets.

Yes, noone wants to touch this legacy code and there are really few requests for sicj effort. The addition to freeradius was really small compared to this.

I don't understand, where is the legacy code, in isc-dhcpd or gui?

Gui

Uhm, since the feature is already present in isc-dhcpd I think we just need to rewrite the GUI to allow to enable an empty subnet (the one for your attached NIC) and then create pools as usual. In the lease page, leases can be grouped by subnet (in my case I'm just doing a grep "subnet") to determine the quantity.

If you have the time I think core team is happy to review

Unfortunately I'm not a developer and I just have average skills with bash scripting and trying to learn Python. I would really love to be directly involved with the project but I guess the gap is big.

I also have no idea about legacy code base, sorry.

Just had a look into the code. Yesterday I made a PR for DHCPv4, where the limitation of not being able to reserve static leases could be removed.

Looks like the smallest effort to realize this feature would be to have a dummy interface in DHCPv4 menu-list. On this interface (i.e. "Generic") you could create subnets and pools as you wish. From a first short review it looks like the config-writer who is creating the dhcpd.conf should not need any changes.

That' a great news! How about the leases page? Do you think it is convenient to keep it as is with all different subnets listed under one single table or divide the page basing on the subnets found in the config file?

I have opened an issue on Github but I'm not sure why it has been marked as incomplete without any reason/explanation:

https://github.com/opnsense/core/issues/4450

Any idea why?

Because you didnt use the template

Hi,

I am writing here to pull the following request about DHCPv4 Server.
We have many instance of virtualized OPNsense in our Datacenter and the most important feature that this wonderful Firewall miss is the ability to release, via its DHCPv4 Server, IPs addresses that are not in the subnet of the interface where OPNsense receives the DHCPv4 requests. For instance if we have 2 or more branch offices in which are present only cisco routers (one per office) and one of the host in that office make a DHCPv4 request, the cisco router forwards this request via dhcp relay to our OPNsense. The problem is that OPNsense is not able to process this request because it receives this request on an interface that is not directly connected (layer 2) to the host that needs to receive a specific ip address.

Thank you

Freeradius Plugin offer this feature

Quote from: mimugmail on November 06, 2020, 05:47:20 AM
You have to Install Freeradius Plugin an use the DHCP service there (prior disable the other one)

<pre> Boo... Hiss...</pre>

Been installing an Ubuntu MaaS Region controller and a pair MaaS Rack Controllers for this instead.  You can just run the Rack nodes as LXC container hypervisor VMs.  Make sure to set up a Bridge interface first and resume it in <pre>lxd init</pre> and you should be able to keep your lonely little physical interface DHCP4 server for untagged stuff.  MaaS will see it, and you will have to decide which rack controller you want to use to manage that "fabric", or you can also dump the basic interface-locked DHCP server as well.  I used an older Intel NUC i5 w/16GB RAM for rack + region and then added a LXD container rack controller container inside until I am ready to add the other NUCs to the cluster.  R-Pi 4B will also work fine for Maas-Rack, is passable for Rack+Region, and a Model 3B isnt going to blow you away performance-wise, but can run a single rack controller w/o too much trouble.

You don't need to import Images to the region controller(s), but I have some Dell R720s with NVidia Grid (16GB NVRAM EACH!!!) cards that I have been dying to rack and automate PXE on so I can do a Prometheus > Rundeck > Chef > MaaS > LXD > Rancher K3S > Docker thing that I made to fire up crypto-toys whenever resource utilization drops below 45%

It's pretty idiotic, but maybe free money.  Who knows.

Since the PF network stack is so jacked, how do you feel about another crappy Ubuntu distro named something cool like "Open-Scarecrow" or something?  It would just add NGINX and a CGI like PHP/Node/Grails, a little PostGREs DB for persistence, all the RRDTool stuff, port a few BSD IDS/IPS/Firewall toys over, and drops in an automated rules builder that drops in the faves, and actually attempts to configure your firewall rules across logical boundaries between hops instead of physical hardware?

InterfaceName = Wireless
Is the network ZoneType = Private/Public/Shared
Are devices on this network able to see sensitive data or machines with sensitive data without requiring a login? IF yes GOTO Would you like to require password protection for users attempting to access these devices? IF YES GOTO Captive Portal config...
Do you use this network for secure traffic?  (banking/shopping/protected work content or networks/etc.)
Does this network attach to unsecured devices? (firestick/smart tv/voice assistant)
RAISE WARNING => be sure to always use encrypted connections when conducting business over shared-use network zones! <link to docs>

As I continue to catch firewall blocks and passes in the live log, it occurs to me that I shouldn't have to create rule after rule to chase down an automagically generated block rule that I'm not allowed to turn off, because I have a WLAN VLAN subnet and its not technically a LAN, or an unsecured post-apocalyptic hellscape of evil hacker gangs but I would still like to have IP addresses or be able to cast a video to another device sometimes...

Over the past few years I got to see whats hiding behind the curtain at these massive household institutions that hold all our money and identities and proof of who we are, what we have done, and whether we own something or not.  It wasn't reassuring at all, and my suspicions that the 20 year veteran in cyber-security is even more clueless (didn't think it possible) than the 20 year veteran in enterprise infrastructure when it comes to staying up to date on current (even the past 5 years...) technology, how threat vectors actually work and how to effectively mitigate them (homeland security successfully gets dummy bombs onto airplanes at an 85% rate still, so why did you have to remove your shoes?) leadership is just playing the numbers game, most of the money we spend is just wasted on things that are no more effective than printing the word security and hanging it on the wall...

I digress.  Looking like an epic derailing actually. LOL

Im just very disappointed in the immature state of Open Source security tooling maybe, but vendors with funding are really blatant about bending us over and ramming it in for an annual license on a mid-range firewall to activate the firewall portion, or paying 12 cents more for a network ASIC and charging 3X to 5X more than the adjacent model for it because current "wirespeed technology" is 10Gbps now.  Even crippling devices so I have to pay $700 for 2GB of RAM thats slower than what came in the cell phone I just replaced...

Feel free to bump.  Not what I intended to post initially, but I don't have to lie down and take it.  Neither should you...

I won't accuse anybody of sucking.  Just expressing a motive to challenge others to do better? ;)