OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: opnsense@f2f10.com on March 04, 2018, 02:26:56 pm

Title: DHCP Serving multiple subnets to remote networks (vlans), not directly connected
Post by: opnsense@f2f10.com on March 04, 2018, 02:26:56 pm
Hi Wonder team here!!

I am in a project with an opportunity of replacing Windows AD/DHCP/DNS stuff with BSD/Linux. I have to do it piece by piece.

I plan to have one LAN only with CARP serving as default Gateway for all company's outgoing traffic. This only LAN will be something like, 10.16.229.0/29 with one IP for Primary OpnSense and another for Secondary and a VIP.  I prefer to not have DHCP on this VLAN, becase all these IP are only for OpnSense to use; however, if I have to enable it for the purpose of getting my following purpose served, it's ok for me to enable DCHP on this VLAN as well. The rest of LANs (VLANs) will be on the remote Cisco access switches. They are not directly connected to OpnSense. Otherwise, I can to extend those VLANs across mutiple switch/links to OpnSense, which will be a mess with STP. I'd like to use Layer 3 Routing on those switches to take care of routing to get those remote VLANs.

Instead of setting up another pair of DHCP/DNS server to serve remote VLAN network with centralized pool of multiple subnets, just like what Windows DHCP server does, I'd like to utilize OpnSense's DHCP/DNS function to do this. I don't like to get these remote VLANs directly connecting to OpnSense which complicates things with STP on all switches across the whole company.

For DNS part,  I assume by just pointing to remote DHCP client pc with a DNS IP option with DHCP server, it would work. Correct?

For DHCP server handling out multiple subnets based on remote VLANs interface IP as source of DHCP request, it seems hard to get it set up. All my switches with those VLANs will have Cisco "ip dhcp helper x.x.x.x" configured on Layer 3 VLAN (with one IP  and IP subnet configured on VLAN). When client do DHCP request, this helper will forward that to DHCP server x.x.x.x with source IP of this VLAN's IP.  Windows DHCP server can assign pool of ip subnets well based on IP Helper's source IP.

When I tried do this on OpnSense LAN, I find out no way of doing this. Even I enable DHCP server on this LAN, the additional pool range must be within this LANs Interface subnet.

However, base on the bottom of this post, https://community.spiceworks.com/topic/1331562-isc-dhcp-server-for-multiple-vlans

Only thing we need to to get it isc-dhcp server working for this purpose, is to add this simple declaration within dhcpd.conf.

Quote
# This subnet is the one that the DHCP server is in, has to be here in order
# the server to hand out addresses. It won't hand out IPs on that subnet since
# there is nothing between the curly brackets.
subnet 10.20.20.0 netmask 255.255.255.0 { } 
#VLAN - 211
subnet 10.21.12.0 netmask 255.255.252.0 {
   range            10.21.12.3 10.21.15.254;
        option routers                  10.21.12.1;
        option subnet-mask              255.255.252.0;
        option broadcast-address        10.21.15.255;
        }

#VLAN - 212
subnet 10.21.20.0 netmask 255.255.252.0 {
   range            10.21.20.3 10.21.23.254;
        option routers                  10.21.22.1;
        option subnet-mask              255.255.252.0;
        option broadcast-address        10.21.23.255;
        }
       
BASH
interface Vlan211
 description VLAN 211
 ip address 10.21.12.1 255.255.252.0
 ip helper-address 10.20.20.41

interface Vlan212
 description VLAN 212
 ip address 10.21.22.1 255.255.252.0
 ip helper-address 10.20.20.41
Unquote.

Another effort is here.
https://happy-coder.com/2014/06/27/pfsense-custom-dhcpd-configuration/

Another here,
https://blog.tinle.org/2013/01/09/single-dhcp-server-for-multiple-subnets-vlans-one-single-interface/

If this is the case, can you guys help to make this available in the OpnSense? So, ideally, we can choose a OpnSense LAN interface, enable DHCP service on this LAN, but not assigning DHCP address for this LAN (by making an empty declaration for this subnet). It has option then for us to add addition SUBNET info. This will make OpnSense a replacement for Windows DHCP server.

Or, at least, we can still allow assign DHCP address for this specific LAN, at same time, allowing to server other SUBNETs, if "not serving dhcp address" on this LAN is difficult to acchieve.

My project actually goes live on Monday Mar 5 2018. I just didn't plan this and just realized this issue. Would this be a quick easy fix with a minor update from you guys?

My next option plan (least favorite) would be either using a standalone box for this purpose as standalone DHCP server, or extending all those VLANs across many switches to OpnSense.

Thanks
peng

Title: Re: DHCP Serving multiple subnets to remote networks (vlans), not directly connected
Post by: opnsense@f2f10.com on March 14, 2018, 11:11:11 am
some pfsense attempt....
pfsense multiple subnets dhcp server

https://forum.pfsense.org/index.php?topic=65736.15
https://github.com/pfsense/pfsense/pull/816
https://github.com/pfsense/pfsense/pull/3836
Title: Re: DHCP Serving multiple subnets to remote networks (vlans), not directly connected
Post by: bartjsmit on March 14, 2018, 02:11:23 pm
Hi Peng,

To my mind there are two types of features in OPNsense; those that make it a drop-in replacement for an ISP router, and enterprise features.

I feel that the DHCP server falls squarely in the first category. Given the size and number of your ranges, you'd be much better off with a separate DHCP server to handle the traffic in a timely fashion.

The DHCP cluster introduced in Windows Server 2012 is arguably better for HA than a non-Windows fail-over setup. If you build a BSD/Linux server, you may need to run it as a VM or a container with host level resilience to guarantee a reasonable availability.

Bart...
Title: Re: DHCP Serving multiple subnets to remote networks (vlans), not directly connected
Post by: franco on March 14, 2018, 06:55:28 pm
Is it the same as this request? https://github.com/opnsense/core/issues/910

I took a stab at it, but gave up due to complexity concerns in the generated DHCP config files to validate arbitrary ranges, which need a subnet anchor anyway.

Only peeked at the PRs... Did you solve this by adding aliases to the interface and tricking DHCP into accepting those? It sounds clever and like a way forward. :)


Cheers,
Franco
Title: Re: DHCP Serving multiple subnets to remote networks (vlans), not directly connected
Post by: opnsense@f2f10.com on March 17, 2018, 12:47:44 pm
Franco,

Yes, it seems similiar request.

Here's more how people are doing it in an attempt.
https://happy-coder.com/2014/06/27/pfsense-custom-dhcpd-configuration/   (**on pfSense)

https://blog.tinle.org/2013/01/09/single-dhcp-server-for-multiple-subnets-vlans-one-single-interface/

Hope all these links give you guys some idea to have this happen. It seems they can do it well with these ideas. I am not a coder, but wish you guys can have it happen.

Thanks a lot.
peng
Title: Re: DHCP Serving multiple subnets to remote networks (vlans), not directly connected
Post by: opnsense@f2f10.com on March 17, 2018, 01:03:46 pm
so, for the vlan that we want to have STATIC IP as a transit network of other networks, we can simply define this "EMPTY" subnet and list all other subnets here, while we "ENABLE" dhcp service on this interface. This TRANSIT network will be used at INTERNAL interface of opnSense hauling traffic back and forth for remote networks going to Internet or other opnSense aware networks via directed interface or static routing.

https://community.spiceworks.com/topic/1331562-isc-dhcp-server-for-multiple-vlans (****post on bottom of page***)

The last link that B-C posted was what I used to get it working. The key was dropping all the need for multiple virtual NICs and just use the one. Then spec the ranges and use the "IP Helper" command on my cisco switch for each VLAN definition.

Works flawlessly. Only gotcha is you need to specify a DHCP subnet for the subnet that the DHCP Server is on, but it can be empty (mine is).

Here is my dhcpd.comf and VLAN description from my Cisco switch. I have many more than these two VLANs, but you should get the idea from them.

In isc-dhcp-server's configuration:

# This subnet is the one that the DHCP server is in, has to be here in order
# the server to hand out addresses. It won't hand out IPs on that subnet since
# there is nothing between the curly brackets.
 
subnet 10.20.20.0 netmask 255.255.255.0 { }

#VLAN - 211
subnet 10.21.12.0 netmask 255.255.252.0 {
   range            10.21.12.3 10.21.15.254;
        option routers                  10.21.12.1;
        option subnet-mask              255.255.252.0;
        option broadcast-address        10.21.15.255;
        }

#VLAN - 212
subnet 10.21.20.0 netmask 255.255.252.0 {
   range            10.21.20.3 10.21.23.254;
        option routers                  10.21.22.1;
        option subnet-mask              255.255.252.0;
        option broadcast-address        10.21.23.255;
        }
       
In Cisco switch:

interface Vlan211
 description VLAN 211
 ip address 10.21.12.1 255.255.252.0
 ip helper-address 10.20.20.41

interface Vlan212
 description VLAN 212
 ip address 10.21.22.1 255.255.252.0
 ip helper-address 10.20.20.41


It seems to me that both pfSense and opnSense use freeBSD and isc-dhcp-server; if it's doable in isd-dhcp-server, it might be just a matter of have these optional settings available in GUI.

It would be something like, for this opnSense, we have choice of serving DHCP on this interface (yes/no). If we choose no, then DHCP server will not listen on this interface. If we choose yes, then it will listen DHCP request on this interface. We can then define subnet options. With those subnet options, it could have local interface subnet if we want to have this local interface to be serviced; otherwise, we have choice of just to leave it EMPTY. then, we can add more subnets we what this DHCP server to serve for dhcp request coming on this interface.

For the moment, I followed these post in other links and created a LXD container on Ubuntu 16.04. The container running ubuntu 16.04 and it serves well for these subnets for those DHCP request of remote networks, together with Ip-helper on Cisco switches.

I just don't want to add one more box in the network, if we can just use opnSense; since, opnSense is already in the network, is running isc-dhcp-server and just a modification enhancement, we can then do it .
thanks
peng