0

First let me describe my environment:

  • There is a VM (CentOS) acting as a gateway
  • The gateway VM has to NICs, eth0 connects to public network, eth1 connects to private network
  • eth0 get IP from public network's DHCP server
  • The gateway contains a DHCP server which offers IP to private network through eth1
  • Since private network needs to access public network, NAT is enabled on the gateway VM, and thus ip_forward is set to 1 on gateway VM.

Now the issue I'm facing is, when I deploy a new VM on public network, the VM gets IP from gateway VM's DHCP server. But gateway's DHCP server should only offer IP to private network.

How to prevent gateway's DHCP server from offering IP to public network?

TieDad
  • 264
  • 5
  • 13
  • As you said, "gateway's DHCP server should only offer IP to private network". You need to check the configuration of this DHCP server and configure it in this way. How many hosts do you have in the "public" network? Is their configuration also messed up now, since you have 2 DHCP servers there? – Andrey Sapegin Jun 04 '15 at 07:22
  • I have set `DHCPDARGS=eth1`. – TieDad Jun 04 '15 at 07:34

2 Answers2

3

DHCP uses broadcast traffic for it's discovery process. Routers do NOT forward broadcast traffic.

If your VM's on the "inside"/eth1 side of your router are getting leases from your modem/router on the "outside"/eth0 side then you have a bridge somewhere between the 2 networks; either your "router" is actually a bridge (do you have an interface called br0 or similar on the router?), or you're using the same switch, something is patched wrong etc.

EDIT: I just re-read your question and I may have misunderstood. You want to prevent clients on the "public" network getting a lease from the DHCP server on that network, but that server is NOT your "gateway" server?

fukawi2
  • 5,327
  • 3
  • 30
  • 51
  • To clarify, I want client on ''public" network to get ip from 'public' network's DHCP server. The dhcpd on 'gateway' should only server 'private' network. There is no `br0` on the gateway, I only enabled NAT by `iptables`. – TieDad Jun 04 '15 at 07:30
  • OK, then you just need to disable the DHCP server on the `eth0` interface. If you're using ISC DHCPD then you can do this by removing the subnet declaration in the config, adding a 'deny unknown-clients' directive to the subnet declaration, or manually specifying that dhcpd should only listen on `eth1` – fukawi2 Jun 04 '15 at 22:37
1

If you have restarted your DHCP server already after DHCPDARGS=eth1, but the issue still exists, you need to do something to find where the problem is.

  1. Check if DHCP is really running on eth0. E.g., with 'netstat -tulpn'. If it is still running on eth0 - there is a problem with configuration of DHCP server.

  2. If not, check on the VM, where it gets the IP from. For example:

    less /var/lib/dhcp3/dhclient.leases

    https://unix.stackexchange.com/q/44376/40594

As fukawi2 wrote, maybe your DHCP config is fine, it is just your public and private networks connected/bridged?

Again, how many hosts do you have in the "public" network? Is their configuration also messed up now, since you have 2 DHCP servers there? If one VM gets the IP from wrong DHCP, other hosts should have a similar issue.

Community
  • 1
Andrey Sapegin
  • 1,191
  • 2
  • 11
  • 27
  • I think the issue is that I enabled `ip_forward` on the gateway VM, thus DHCP request package received from 'public' network on eth0 gets forwarded to eth1. Thus I'm think if it's possible to use `iptables` to drop DHCP request packets on eth0. – TieDad Jun 04 '15 at 07:57