[ previous ] [ next ] [ threads ]
 From:  Adam Nellemann <adam at nellemann dot nu>
 To:  Melvin Backus <mbackus at bellsouth dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] DHCP server - static clients only
 Date:  Thu, 24 Jun 2004 13:43:28 +0200
Melvin Backus wrote:
> At 07:38 PM 6/23/2004, Adam Nellemann wrote:
>>Fred Wright wrote:
>>>On Wed, 23 Jun 2004, Melvin Backus wrote:
>>>>At 05:36 PM 6/23/2004, Adam Nellemann wrote:
>>>>>Stefan Thuering wrote:
>>>>>>Is there a way to limit the DHCP server to work with static (known) 
>>>>>>mac address clients only?
>>>>>>If I enter 4 static macs and limit the server to 4 addr. total it 
>>>>>>should generally be ok, but if those clients aren't always running the 
>>>>>>free slots can be snatched away. :(
>>>>>>A checkbox with "allow static clients only" would be cool !
>>>>>>p.s. m0n0wall is fantastic...
>>>>>> Stefan
>>>>>I too would be interessted in this capability. I think one of the old 
>>>>>(pre 1.0) betas were actually capable of doing static-only DHCP (not 
>>>>>too sure though), simply by giving a dynamic IP range of x.x.x.0 to 
>>>>>x.x.x.0, however, when I recently tested this, my host just got the 
>>>>>x.x.x.0 IP address :(
>>>That's the trouble with having to specify it as a closed interval rather
>>>than a half-open interval. :-)
>>>What happens if you make .1 the minimum and .0 the maximum?
>>This happens:
>>"The following input errors were detected:
>>The range is invalid (first element higher than second element)."
>>... But otherwise a nice idea :)
> Hmm, how about assigning a dhcp scope which isn't in your subnet?  Sounds 
> goofy I know, but can you do it?  I don't have access to my m0n0 setup at 
> the moment or I'd try it myself.

Nice idea for a hotfix solution, unfortunatly:

"The following input errors were detected:
The specified range lies outside of the current subnet."

With regard to your previous post:

The way DHCP works in m0n0wall, if you enable the DHCP server, you 
must choose an IP range (consisting of at least one IP) for dynamic 
assignments. On the other hand, if you don't enable the DHCP server, 
your static mappings won't be available either (for obvious reasons).

Note also that any static mappings are NOT allowed to lie within the 
choosen dynamic IP range, so it is not an option to use all the 
dynamic IPs for the static mappings.

What is needed, is some way of telling m0n0wall not to dole out any 
dynamic IPs, but only honor requests from the MACs in the list of 
static mappings.

Anyhow, I think perhaps this thread has been assigned more 
"importance" than it deserves. At least my main motivation for adding 
my vote to the proposed "static mappings only" checkbox, was simply a 
wish for a "tidy" configuration, as I have currently no need for 
dynamically assigned IPs on my LAN, and thus find that single unused 
dynamic IP mildly offensive to my sense of order ;)

But since it would appear that security through MAC address limitation 
is rather moot (MACs being as easily sniffed as they are spoofed), I 
see no really important reason for going out of the way to prevent 
that single dynamic IP from being available on the LAN, as one can 
simply choose not to utilize it (as in my case, where all my hosts 
have a corrosponding entry in the static mappings list), with little 
to no resulting overhead of any kind. (But of course, I might be 
missing some good reason for avoiding this situation?)

Just my 2c.