Version: M0nowall v1.23b4 Hardware: Soekris Net4801 M0nowall installed on compact flash
The Services:DHCP Server webgui has an issue when multiple interfaces have the DHCP server enabled and DHCP clients are defined with MAC addresses. This would be the case on the Soekris Net4801 when both the LAN and OPT1 are used for different subnets with different allowed DHCP clients defined for each subnet. I am not enough of an expert to troubleshoot the services_dhcp.php script or the services_dhcp_edit.php script to suggest the proper fix.
The issue is that resulting /var/etc/dhpcd.conf that is generated has the dhcp clients (hosts) defined outside of the subnet block statements. This is not an issue if there is only one subnet (one internal network interface) defined. But if there are multiple subnets (internal interfaces) used, then the hosts defined outside the subnet pool are global in scope, not just in scope in the subnet they were defined in with the webgui.
This can cause some surprising behaviors. A dhcp client MAC (host) that is allowed to connect in one subnet is also allowed in all of other subnets (even when deny unknown clients is enabled). I have tested this behavior when dhcp clients (hosts) are defined without specifying a specific IP address.
I suspect that the behavior might be even more peculiar if a specific IP address is specified in subnet 1 and the host connects from subnet 2 and potentially gets an IP address in subnet 1 that is not useable.
In some cases, a firewall builder may want to define all dhcp clients as global, not specific to a single subnet.. But in other cases, there may be a need to define dhcp hosts that are allowed only in one subnet. So the ideal might be an additional checkbox in the DHCP Server webgui that can be used to decide whether to make all hosts global, or local to a specific subnet. To fix this issue, the services_dhcp.php script would need to be modified so that the dhcp client hosts are written inside the subnet block when local, or outside the subnet block when global (the current behavior).
Again, all of this is moot when a single subnet is used or when all of the internal (non-WAN) interfaces are bridged to a single interface.
An example below dhcpd.conf file that illustrates this behavior:
subnet 192.168.1.0 netmask 255.255.255.0 { pool { deny unknown clients; range 192.168.1.10 192.168.1.99; } option routers 192.168.1.254; option domain-name-servers 192.168.1.254; }
subnet 192.168.100.0 netmask 255.255.255.0 { pool { deny unknown clients; range 192.168.100.10 192.168.100.99; } option routers 192.168.100.254; option domain-name-servers 192.168.100.254; }
host s_lan_0 { hardware ethernet 00:02:8a:2b:da:2f; fixed-address 192.168.1.113; } host s_lan_1 { hardware ethernet 00:20:e0:8e:e7:29; }
I suspect that this issue also exists in previous versions of m0nowall.
Thanks, -msbaker
|