What do you think about this proposal by my mate @davide_marini?
Nethserver with (at least) green + red configuration
- dhcp server enabled on green
- dhcp reservation
- ip /mac binding enabled
- ip/mac binding policy : block all traffic without binding
this kind of configuration is useful to leave all clients with a dynamic ip, the dhcp server release alway the same ip based on mac identification, the devices not in the dhcp reservations are blocked by the firewall.
In this scenario no devices can receive an ip address from the dhcp server because every request made to the firewall is blocked (the client is asking for an ip address but it hasn’t anyone yet, so it won’t match on the ip /mac binding table).
the solution suggested is to add the option “dhcp” in the file /etc/shorewall/interfaces for the loc zones, the option accepts every request on ports 67, 68 UDP, it works even if in case of MACLIST_TABLE=mangle.