LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-29-2008, 10:56 PM   #1
chappel77
LQ Newbie
 
Registered: Oct 2004
Posts: 3

Rep: Reputation: 0
dhcpd Filtering by MAC


I hoping there is a dhcpd wizard out there that can help me with a config question. I'm trying to set up a dhcpd server that will only hand out address to a specific OUI group Proxim (00:20:A6.) It would seem that you can do this but I haven't found a good example to work from. Any info or places to start would be great.

This is all I've found but don't know enough to implament.

group {
match if (substring(hardware,1,3)=00:0e:7b);
range 123.123.123.1 123.123.123.50;
deny unknown-clients;
}

Thanks,
Bruce
 
Old 01-31-2008, 04:12 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I am no wizard, but I can (and did) search on the phrase "match if (substring(hardware". See if the final post in this thread helps. I think it very similar to what you are trying to do. (And I think I just learned a little bit more about dhcpd! )
 
Old 01-31-2008, 05:06 PM   #3
chappel77
LQ Newbie
 
Registered: Oct 2004
Posts: 3

Original Poster
Rep: Reputation: 0
Thank you for the link it was very helpful, however I am still not able to get it working. Here's my dhcpd.conf:

#DHCP CONFIG

#ddns-update-style ad-hoc;


# option definitions common to all supported networks...
option domain-name "ntdom.cupdx";
option domain-name-servers 70.103.52.169;
default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;


class "access-points" {
match if substring(hardware,1,3) = 00:20:a6;
}

# 10.24.10.0
subnet 10.24.10.0 netmask 255.255.255.0 {
pool {
range 10.24.10.201 10.24.10.229;
allow members of "access-points";
deny unknown-clients;
}
}



This is what get when I test:


bhenderson@dhcpd-ap4000:~$ sudo dhcpd3 -d -f 2>&1
Internet Systems Consortium DHCP Server V3.0.3
Copyright 2004-2005 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Wrote 0 leases to leases file.
Listening on LPF/eth0/00:0c:29:ca:69:c6/10.24.10/24
Sending on LPF/eth0/00:0c:29:ca:69:c6/10.24.10/24
Sending on Socket/fallback/fallback-net
DHCPDISCOVER from 00:20:a6:7e:bd:70 via eth0: network 10.24.10/24: no free leases
DHCPDISCOVER from 00:20:a6:7e:bd:70 via eth0: network 10.24.10/24: no free leases
DHCPDISCOVER from 00:20:a6:7e:bd:70 via eth0: network 10.24.10/24: no free leases

If any one can see my error please let me know.
I assume that the client is not meeting the class requirement but I don't know why. Again any info or lead in the right direction would be great.

Bruce
 
Old 01-31-2008, 08:09 PM   #4
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
EDIT: I am leaving this post here for historical (hysterical? ) purposes, but as I outline in my next post, I now believe what I suggest in this post to be neither needed nor helpful.

It looks to me like you did exactly the same as the page I linked to. Have you tried removing the restrictions to verify that is the problem?

Last edited by blackhole54; 02-01-2008 at 12:28 AM.
 
Old 02-01-2008, 12:56 AM   #5
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I did some tests on my own DHCP server and might know what is going on here. As I am still learning this myself, please verify for yourself what I say. Let me also note that I used dhcpd version isc-dhcpd-V3.0pl1 which I believe is rather old.

I believe the problem is the deny unknown-clients statement. I don't understand why it worked for the poster on our reference page. I set up something analogous to your conf file except that I was working with 192.168.2.0/24. I also got the no free leases message. This went away if I either commented out the deny unknown-clients line or if I added a host declaration for the machine seeking an IP address. This seems consistent with what the dhcpd.conf man page says about unknown-clients. Namely, a client is "unknown" if it doesn't have a host declaration. So that statement prohibits dhcpd from leasing an address to such a machine (in your case, all machines).

Further, as I understand the man page, with the allow statement present, everything that is not specifically allowed will be denied. So an explicit deny statement is not necessary.

I hope this helps you get things working.

Last edited by blackhole54; 02-01-2008 at 01:00 AM. Reason: typo cleanup[
 
Old 02-01-2008, 03:48 AM   #6
david1941
Member
 
Registered: May 2005
Location: St. Louis, MO
Distribution: CentOS7
Posts: 267

Rep: Reputation: 58
man dhcp-eval shows: substring (data-expr, offset, length)
The substring operator evaluates the data expression and returns the substring of the result of that evaluation that starts offset bytes from the beginning, continuing for length bytes. Offset and length are both numeric expressions. If data-expr, offset or length evaluate to null, then the result is also null. If offset is greater than or equal to the length of the evaluated data, then a zero-length data string is returned. If length is greater then the remaining length of the evaluated data after offset, then a data string containing all data from offset to the end of the evaluated data is returned.

This might indicate that "match if substring(hardware,1,3) = 00:20:a6;" is improperly defined, i.e. starts with 0, length is 8 or some such. I don't know what the actual expression storage is.....
 
Old 02-01-2008, 09:07 AM   #7
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by david1941 View Post
This might indicate that "match if substring(hardware,1,3) = 00:20:a6;" is improperly defined, i.e. starts with 0, length is 8 or some such. I don't know what the actual expression storage is.....
In my tests, that worked fine. Specifically, I used:

Code:
  class "PANG"  {
     match if substring(hardware,1,3) = 00:17:31;
  }
Combined with

Code:
    pool  {
       range 192.168.2.221 192.168.2.239;
       allow members of "PANG";
#      deny unknown-clients;
    }
in the subnet specification. This allowed an interface whose MAC started with 00:17:31 and excluded one that didn't start with that. Note that I commented out the offending statement.

EDIT: BTW, no free leases seems to be the standard message when it is blocking. I guess because there aren't any free leases in the null set!

Last edited by blackhole54; 02-01-2008 at 09:22 AM.
 
Old 02-02-2008, 03:42 PM   #8
chappel77
LQ Newbie
 
Registered: Oct 2004
Posts: 3

Original Poster
Rep: Reputation: 0
Thank you for the solution. I should have put more time into it before I posted again.

Thank you,
Bruce
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables mac filtering Ventrix Linux - Security 1 11-21-2007 07:29 PM
Debian MAC Filtering dellthinker Linux - Security 1 03-16-2007 04:10 AM
MAC Filtering eggoz Linux - Networking 1 06-11-2006 01:11 PM
MAC Filtering eggoz Linux - Networking 3 06-06-2006 02:20 AM
mac address filtering gabsik Linux - Security 8 04-27-2006 08:23 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration