Show Posts
1
General Discussion / Re: DCHP Option 121 or 249
« on: January 11, 2023, 11:37:57 pm »
Hey, sorry nobody replied earlier. This is why I can't switch fully to OPNsense, docu isn't great and you can't get help. 
Anyway, if you're still looking for the answer; first I'd like to ask you if you added ALL ROUTES at once. But since It's unlikely I log in soon to check, I'll make some assumptions, if that's OK.
For option 121 you add additional routes, that I gather you already know. As I understand (and in my testing) you need to also add the default route at the end, and before the additional routes (at least on Windows' DHCP client and server) add the route for the local subnet, e.g; all your subnets are /24s, you have an L3 switch with an interface on each of your VLANs taking address .1 and spaced roughly /16 apart on the 10/12 range (so [skipped 10.0.0.1] 10.1.0.1, 10.2.0.1…10.15.0.1) and a router on the same subnets on address .2 that goes out to the Internet, your site-to-site tunnels, remote clients, etc. in other words, the default route.
So, for clients on the 9th VLAN, 10.9.0.0/24, you'd need the routes:
If the 9th VLAN has a second or third subnet directly accessible on the broadcast domain, for instance "10.9.1.0/24", you specify it as a local subnet. Clients would still need an address on the subnet, e.g; eth0=10.9.0.44/24,10.9.1.44/24. Option 121 would need to be:
You have to enter all the strings for all subnets concatenated in option 121. I don't know the syntax though. There was this website that did it for you (I did it on pfSense too) but I don't remember which was it. On Microsoft's DHCP server it looks like fig1, and though it looks easier, looks are deceiving: you need to enter the values in order—they can't be rearranged after the fact. It's been a while though, I might be forgetting something.
An alternative to this (if you goal is something like offloading the routing to a beefier, much faster device such as an L3 switch) is setting it up as the default gateway and use a transit network between it and your upstream router, and one or more static routes on the upstream router. So using the same example subnets, let's say you transit network is 10.16.0.0/24..or /30, whatever.
The switch keeps it .1 address, so does the router. On the switch you set up its default route to 10.16.0.2 corresponding to the router on the transit network just outside the 10/12 range. And your done on that side. Now on the router, you add a static route to 10/12 via 10.16.0.1. If it is a firewall, with per-interface ruleset such as pfSense or OPNsense, you'll add them all in a single interface. You may create network aliases for each of your networks, e.g; 10.9.0.0/24 alias "zone9" or "iscsi".
On OPNsense you can (temporarily) add the routes on console, for the example scenario:
And since your "LAN subnet" preset would not longer match, i.e; it would now match 10.16.0.0/24 while your real LAN is, and must be, on another range; 10/12. So if you're using the default ruleset, "allow anything from the LAN" the firewall will kick in dropping all traffic. For that you need to disable the firewall from the console so you can make your way to the GUI and add (1.) the static routes permanently and (2.) a new firewall rule or edit the existing LAN firewall rule to allow anything from anywhere to buy you some time while you create more targeted rules without being kick out every single change because each time you save something, even if you don't apply it, the firewall re-enables itself. So you need to disable it again, and again, and again…
Test from the inside out, from a host:
The transit network approach — and perhaps I should've started with that — will avoid asymmetric routing that can happen when you have more than one path between subnets. Since firewall like OPNsense are stateful, and routers like L3 switches aren't keeping states, data can flow one-way only and get block by the stateful firewall between subnets and by the built-in stateful firewall in most client OSes if NAT or a reverse proxy are in the way.
In regard to option I didn't know about it, or at least I didn't remember about it if I knew, but from Microsoft:
(…) Microsoft Classless Static Route Option (…) only difference is that Option Code 249 SHOULD be used instead of or in addition to Option Code 121.
So if it work when you add 249, it's because you're most likely overriding option 121. Also check out RFC 3442 just before "page 4"; 'Local Subnet Routes'.
I hope this helps OP or anybody in the forum looking for info. Because the documentation… OMG! I've tried setting up IKEv2 with RADIUS, the docs say to select no RADIUS server in the mobile client config and select it in the phase 1 instead, however, that isn't possible. For over a year I keep checking if there's any change with the new releases… none.
fig1:
fig2:
Anyway, if you're still looking for the answer; first I'd like to ask you if you added ALL ROUTES at once. But since It's unlikely I log in soon to check, I'll make some assumptions, if that's OK.
For option 121 you add additional routes, that I gather you already know. As I understand (and in my testing) you need to also add the default route at the end, and before the additional routes (at least on Windows' DHCP client and server) add the route for the local subnet, e.g; all your subnets are /24s, you have an L3 switch with an interface on each of your VLANs taking address .1 and spaced roughly /16 apart on the 10/12 range (so [skipped 10.0.0.1] 10.1.0.1, 10.2.0.1…10.15.0.1) and a router on the same subnets on address .2 that goes out to the Internet, your site-to-site tunnels, remote clients, etc. in other words, the default route.
Range: 10/12
(10.0.0.1-10.15.255.254)
Subnets: 10.1.0.0/24,
10.2.0.0/24,
10.3.0.0/24,
(…) 10.15.0.0/24;
L3 switch: 10.1.0.1,
10.2.0.1,
10.3.0.1,
(…) 10.15.0.1;
Router: 10.1.0.2,
10.2.0.2,
10.3.0.2,
(…) 10.15.0.2;
So, for clients on the 9th VLAN, 10.9.0.0/24, you'd need the routes:
10.9.0.0/24 0.0.0.0 #see fig2
10.0.0.0/12 10.9.0.1
0.0.0.0/0 10.9.0.2
If the 9th VLAN has a second or third subnet directly accessible on the broadcast domain, for instance "10.9.1.0/24", you specify it as a local subnet. Clients would still need an address on the subnet, e.g; eth0=10.9.0.44/24,10.9.1.44/24. Option 121 would need to be:
10.9.0.0/24 0.0.0.0
10.9.1.0/24 0.0.0.0
10.0.0.0/12 10.9.0.1
0.0.0.0/0 10.9.0.2
You have to enter all the strings for all subnets concatenated in option 121. I don't know the syntax though. There was this website that did it for you (I did it on pfSense too) but I don't remember which was it. On Microsoft's DHCP server it looks like fig1, and though it looks easier, looks are deceiving: you need to enter the values in order—they can't be rearranged after the fact. It's been a while though, I might be forgetting something.
An alternative to this (if you goal is something like offloading the routing to a beefier, much faster device such as an L3 switch) is setting it up as the default gateway and use a transit network between it and your upstream router, and one or more static routes on the upstream router. So using the same example subnets, let's say you transit network is 10.16.0.0/24..or /30, whatever.
The switch keeps it .1 address, so does the router. On the switch you set up its default route to 10.16.0.2 corresponding to the router on the transit network just outside the 10/12 range. And your done on that side. Now on the router, you add a static route to 10/12 via 10.16.0.1. If it is a firewall, with per-interface ruleset such as pfSense or OPNsense, you'll add them all in a single interface. You may create network aliases for each of your networks, e.g; 10.9.0.0/24 alias "zone9" or "iscsi".
On OPNsense you can (temporarily) add the routes on console, for the example scenario:
Code: [Select]
route add 10.0.0.0/12 10.16.0.1
# test if the internal gateway (the switch in this case) is responding
ping 10.16.0.1
# then test with a host on the remote internal network
ping 10.9.0.77
# or one of the switch's internal interfaces
ping 10.9.0.1
And since your "LAN subnet" preset would not longer match, i.e; it would now match 10.16.0.0/24 while your real LAN is, and must be, on another range; 10/12. So if you're using the default ruleset, "allow anything from the LAN" the firewall will kick in dropping all traffic. For that you need to disable the firewall from the console so you can make your way to the GUI and add (1.) the static routes permanently and (2.) a new firewall rule or edit the existing LAN firewall rule to allow anything from anywhere to buy you some time while you create more targeted rules without being kick out every single change because each time you save something, even if you don't apply it, the firewall re-enables itself. So you need to disable it again, and again, and again…
Code: [Select]
#disable firewall
pfctl -d
Test from the inside out, from a host:
Code: [Select]
# the local gateway
ping 10.9.0.1
# the switch's gateway
ping 10.16.0.2
# the router/firewall's gateway or some public well-known host
ping 9.9.9.9
The transit network approach — and perhaps I should've started with that — will avoid asymmetric routing that can happen when you have more than one path between subnets. Since firewall like OPNsense are stateful, and routers like L3 switches aren't keeping states, data can flow one-way only and get block by the stateful firewall between subnets and by the built-in stateful firewall in most client OSes if NAT or a reverse proxy are in the way.
In regard to option I didn't know about it, or at least I didn't remember about it if I knew, but from Microsoft:
(…) Microsoft Classless Static Route Option (…) only difference is that Option Code 249 SHOULD be used instead of or in addition to Option Code 121.
So if it work when you add 249, it's because you're most likely overriding option 121. Also check out RFC 3442 just before "page 4"; 'Local Subnet Routes'.
I hope this helps OP or anybody in the forum looking for info. Because the documentation… OMG! I've tried setting up IKEv2 with RADIUS, the docs say to select no RADIUS server in the mobile client config and select it in the phase 1 instead, however, that isn't possible. For over a year I keep checking if there's any change with the new releases… none.
fig1:
fig2:
]