DHCP server giving adresses belonging to another interface

pagaille · 2017-12-12 15:14:38 UTC

NethServer Version: 7.4
Module: DHCP

Hi,

I just configured a second LAN interface configured as “Blue” (guests), it’s enp3s6f1 :

I enabled the DHCP server to give adresses on a distinct subnet :

But I discovered that clients connected on that interface were assigned adresses for the green interface, 10.10.5.X !

Logs :
> Dec 12 15:37:19 cloud dnsmasq-dhcp[8186]: DHCP, IP range 10.10.6.1 – 10.10.6.253, lease time 1d ┤
> Dec 12 15:37:19 cloud dnsmasq-dhcp[8186]: DHCP, IP range 10.10.5.1 – 10.10.5.254, lease time 1d
> Dec 12 15:37:42 cloud dnsmasq-dhcp[8186]: DHCPREQUEST(enp3s6f1) 10.10.5.4 e0:f8:47:28:9a:30
> Dec 12 15:37:42 cloud dnsmasq-dhcp[8186]: DHCPACK(enp3s6f1) 10.10.5.4 e0:f8:47:28:9a:30 MBPdeisonniaux6

Relevant part of /etc/dnsmasq.conf :

# Enable the DHCP server. Addresses will be given out from the range
# <start-addr> to <end-addr> and from statically defined addresses
# given in dhcp-host options. 
# See db configuration getprop dnsmasq DhcpStatus

dhcp-range=set:br0,10.10.5.1,10.10.5.254,255.255.0.0,86400
dhcp-option=tag:br0,option:router,10.10.1.1
dhcp-range=set:enp3s6f1,10.10.6.1,10.10.6.253,255.255.255.0,86400
dhcp-option=tag:enp3s6f1,option:router,10.10.6.1
dhcp-lease-max=518

Any idea ? Bug ?

robb · 2017-12-12 15:49:05 UTC

At first glanse: Your subnetmask of 255.255.0.0 for 10.10.5.x is overlapping 10.10.6.x subnet

pagaille · 2017-12-12 16:01:16 UTC

ARGH

My bad Thats a remnant of an old configuration. I changed the DHCP range but not the interface’s mask.

Thanks @robb, I had the answer in front of my eyes.

PS / Did I mention that @pagaille means more or less “mess” or “confusion” in english ?

robb · 2017-12-12 16:04:01 UTC

Don’ t worry…confusion is my middle name… lol
please mark the correct answer so the topic gets marked as solved

pagaille · 2017-12-12 18:50:21 UTC

Still there is something I still don’t understand.

I configured the blue interface on a separate subnet as instructed on the wiki and the doc. Allright. But what’s the point in this “guest” interface since setting a different subnet would anyway isolate the two networks ? What’s the difference between two green interfaces on separate subnets and the recommended configuration ?

mrmarkuz · 2017-12-12 19:00:27 UTC

Firewall policies allow inter-zone traffic accordingly to this schema:
GREEN -> BLUE -> ORANGE -> RED
Traffic is allowed from left to right, blocked from right to left.

http://docs.nethserver.org/en/v7/firewall.html#policy

With two green interfaces they can access each other because they are routed and allowed by policy.

pagaille · 2017-12-12 19:06:16 UTC

Oh RIGHT, they’re routed. That’s the point I was missing.