dhcp range on different subnet OR virtual interface

[biyover]

Hi:

Im trying to configure a "open" wifi network in a school. As I have read in numerous places, the best practice is to isolate the network and just offer basic connectivity.

I have a AP that can broadcast separate SSIDS, one private and one public. I thought I would create a virtual interface in Zentyal and route all this traffic through there, into the proxy and then out into the internet.

My big hiccup is that there is no strait forward way to use dhcp on a virtual interface in Zentyal (and it seems that in version 2 there was. )

I tried to directly edit the dhcp.config but didn't succeed in getting a functional connection.

HAs anyone attempted something like this or has setup something similar? Any feedback is most welcome.

[Escorpiom]

This works fine.
You can create a virtual interface and set the desired DHCP range for that interface.
Also on 3.0.x.

Cheers. 

[biyover]

Really? Because that's what I first looked for and didn't find a way of doing it.

After I set the virtual interface (Network->Interfaces->Add Virtual IP) I looked in DHCP... but when I tried to set a range with the appropriate subnet (different to the "real" ip of the interface), zentyal won't allow it. And the virtual interface does not show up as an option to run dhcp on it.

¿Do you have a setup like this? If you do, I'm very interested in knowing how you achieved this. I know you can do it in the configs, and I'm currently reading up on dhcp.config to set it up, but it would be leaps better if I could set it up directly from the web-gui.

[Escorpiom]

Sadly, you are correct.
I just "remoted" to a client's Zentyal 3.0 server and set up a virtual interface 10.x.x.x on the main LAN interface 192.168.0.x.
Saved config and went to DHCP, expecting to be able to choose the newly created virtual interface to run DHCP on.
Indeed the virtual interface didn't appear in the list, so your observation is correct.
What I did not try, is to set the virtual interface as a subnet from 192.168.x.x.

My own server is still at Zentyal 2.2 and it is doing DHCP just fine on several virtual interfaces.
If the desired functionality has been removed in 3.x then that's a major drawback and for me that would also mean no upgrade path to 3.2.x.
Will report this and hope to get some feedback (they seem rather busy a.t.m.) from Zentyal team.


Cheers. 

[biyover]

I found a ticket for feature requests that asks for this to be reinstated. It seems that there was some "troubles" with the dhcp server and virtual interfaces, but there are not any details.

Would it be possible to see what the dhcp.config looks like when you have dhcp running on a virtual interface?

I have found examples of dhcp.configs that don't rely on a virtual interface, or don't seem to have one configured, they just assign addresses on a different network (ie, 10.x.x.x and 192.168.x.x, etc)

My other question is: I see that when details for the network are sent, they include dns server and router pointing a the dhcp server. For instance, my main network is 192.168.10.0/24 and i set the server as a router and dns server on 192.168.10.1.
When I create a new pool on 10.10.10.0/24 and the server is 10.10.10.1... I don't understand how the new address handles routing and dns requests. Clearly there has to be a dns server running on that interface and/or address, but what about routing? Does the routing table just handle this? Since I haven't tried it yet I don't know, maybe it just works

Thanks for the input.

[half_life]

This is one upside to running Zentyal as a virtual machine under a real hypervisor.  If I needed to do this all I would need to do is create another ethernet device for Zentyal under Proxmox and reboot. 

This seems like a bug actually.  I might suggest putting in a bug report.

[Escorpiom]

@biyover: You mean the default gateway? As far as my Zentyal 2.2 server, the routing table handles this yes.
I've got about ten virtual interfaces and no problems with routing.
Can you open a bugreport, if not I'll do it.

Cheers.

[biyover]

OK. I understand, but maybe it's the underlying setup in zentyal 2.2 that "works it out". no?

Anyway, if I did modify my dhcp.config, I would still need to create a virtual interface to handle the connections and routing, right? It's not possible to set a router on a different subnet (ie, network is 10.x.x.x and router is set to 192.168.x.x)

I'll be doing some testing on monday to find out how it can be done, but it means setting up something semi-permanent in the dhcp.config.mas file...

[Escorpiom]

Place a router in your network to separate different subnets?
Based on your original question, I would say sure, it's perfectly possible.
Before doing the virtual interfaces "thing" I had two more routers on my network.
Did work but at the end quite bothersome maintaining all the port forwarding and alike.
I'm not promoting the use of double routing on the network.

In Zentyal 2.2.x it is simplified because modifications and rules are being carried out by Zentyal, so you are being saved from the whole firewall and IP tables stuff.

So you are going to hack into the dhcp.conf.mas to establish the desired functionality? Staying with 3.0.x?

Cheers.   

 

[biyover]

Hi...

No, what I meant is if I enter a different subnet in my dhcpd.conf file, who does the routing for that subnet?

Do i create a virtual interface in Zentyal and that "works" as the router? or do I have to fiddle with iptables to do NAT from the subnet to a "real" interface in Zentyal???

Basically this is what I'm dealing with. I still haven't had time to do real testing though.

Thanks.

[Escorpiom]

Sorry, now I understand. I'm a bit slow from time to time.

Let's ignore the DHCP issue on virtual interfaces for a moment.
Let's assume you are on Zentyal 3.x and create a virtual interface.
On the client device, you assign a static IP that matches the subnet of the virtual interface.
You should be able to surf and use the functionality Zentyal offers (except DHCP of course) without hacking around the config file.

Anyway you should test it as you say, but I expect the only issue here is the non-DHCP functionality on virtual interfaces, nothing more.

Cheers.


 

[robb]

Just for the sake of elaboration on the issue:
Maybe I am missing something, but if you have 2 subnets on the same physical adapter (1 on the adapter and 1 virtual) wouldn't you get VERY strange behaviour if you put 2 DHCP servers, distributing IP addresses of different subnets, on that same adapter?

[christian]

Indeed.
To me, main problem is that getting an IP from DHCP server is based on broadcast thus unless you find a way to segregate broadcast frames, any machine on same physical network will get an answer (thus an IP) from any of the available DHCP server.

You can achieve your goal with different implementations:

1 - run another DHCP server on your Wifi access point, dedicated to wifi devices and set up the LAN side, using static IP, to use another VLAN (if your access point supports this)
2 - or use dedicated NIC on your Zentyal server providing IPs to wifi devices. Use of such DMZ is really the safest approach, IMHO.

[biyover]

Just for the sake of elaboration on the issue:
Maybe I am missing something, but if you have 2 subnets on the same physical adapter (1 on the adapter and 1 virtual) wouldn't you get VERY strange behaviour if you put 2 DHCP servers, distributing IP addresses of different subnets, on that same adapter?

I don't want to run two server, just get the current one to hand out a different subnet. As described by Escorpion, Zentyal 2.0 already does this on virtual interfaces, so clearly it can be done and has been done and it works.

I have already found a setup like the one I am looking for and overall it's quite simple. ONE dhcp server hands out addresses for THREE subnets. Two have particular rules that match clients based on MAC or are directly registered in the dhcp.conf file (like setting a fixed address in the zentyal config and network objects). These subnets also DENY unknown clients, so that only AND only the ones that match or are registered receive an address for that subnet.
The remaining subnet declaration handles all other possible clients, thus isolating them and offering simple connectivity to the internet.

It looks like I might look into downgrading back to zentyal 2 if it's easier to implement there. I will persist, though, by trying to configure dhcp.conf first.

[robb]

I realize I am going offtopic here and with additional scripting it might work to use (multiple) virtual adapters on 1 physical adapter (for example seperating subnets based on mac address, but IMO this is a VERY slippery way of getting safety in your network since macaddresses are easily changed)
I'd rather opt for a physically separated setup so use multiple NICs in your server so you know for sure the subnets are on separate networks.
It shouldn't be too difficult to add a dual or even quad port network adapter in a server.

However it is confirmed that there is no option to activate DHCP on a Virtual adapter. Maybe Zentyal staff van comment if this is intentionally taken out and if so, why?