Services

Hi all,

m0n0wall is my router for the whole LAN. There is also an Access Point in my Lan, which serves my wireless clients.
As this AP has no build in DHCP server, I'm using the DHCP server of m0n0wall, which works fine so far.
But I do not want to offer DHCP to my wired LAN, just to my WLAN.
So is there a chance (e.g. by a firewall rule) to make this work?

Goal: My m0n0wall (192.168.0.100) should serve DHCP only to clients which connect through my Access Point (192.168.0.101). Wired Lan Clients should not "see" the DHCP server.

Thanks
Stefan

I would suggest putting your wireless AP on another OPT port on the m0n0wall. That way, you can independently control DHCP and firewall rules for all wireless clients.

I don'r know if this could be solution for me, because my AP has also a switch which is also in use by wired clients. So clients in this switch would also get DHCP adresses on request.

Stefan

If you have a fixed set of wireless clients, you could restrict down the DHCP server to only reply to clients with a MAC address in its list.

This unfortunately also isn't the case, as there a are very often "guests" in our WLan :-(

Are you trying to deny DHCP services to all ethernet clients or simply 'manage' all standard clients?

For example, we treat all guest clients the same - no discrimination based on connection type (WiFi vs ethernet).
Then for normal (usually ethernet clients) we set DHCP reservations based on the client's mac address. Normal clients always receive the same IP address via DHCP or maintain their own static setting that won't be used by any other client.

This practice is particularly useful to our laptop users that benefit from a constant IP address - without ever changing a client setting.

All my wired clients have fixed IPs. All my wireless clients (own and even guests) receive dynamic IPs by DHCP.

Unless you follow iridris' first suggestion, there is no way to determine whether unknown clients are connected via your AP or via cable.
Well, basically there is, but I doubt that your AP is capable of VLAN tagging.

If your wired clients have fixed IPs why don't you just change the dhcp address pool? You could also add the wired clients to the fixed address pool of your dhcp server. I don't really see the problem.

All my wired clients have fixed IPs. All my wireless clients (own and even guests) receive dynamic IPs by DHCP.

Perfect! What more are you trying to accomplish?
If your wired clients have fixed IP addresses, then they will not attempt the DHCP process and will not receive a DHCP assigned address.

If you are concerned that a (wired or) wireless client may receive IP address that is in use by a statically assigned pc, simple change the size and location of the DHCP pool. Read section 4.5.3: http://doc.m0n0.ch/handbook/config-services.html

The goal is not to give DHCP addresses to any wired clients that are connected to the LAN as they often try to obtain dynamic addresses by default (think of printers, webcams ...).

Here are two routes in my LAN (my m0n0wall and an other router which belongs to my neighbour, but we share the same LAN).
Actually, if a device is connected with no static IP, it automatically uses my router, even if it's my neighbours device. This is what I want to avoid.

As the DHCP requests from my wireless clients pass the AP, I hoped there would be a way to identify this and to deny any other DHCP requests that do not come through the AP.

I hope this clarifies things a little bit

Actually, if a device is connected with no static IP, it automatically uses my router, even if it's my neighbours device. This is what I want to avoid.

As I said before I don't think there is a way in achieving that with your configuration, apart from using a different network port on m0n0wall.

As the DHCP requests from my wireless clients pass the AP, I hoped there would be a way to identify this and to deny any other DHCP requests that do not come through the AP.

No, as all traffic from your AP (including the APs physical network ports) is seen as incoming traffic to m0n0wall. Only the AP itself would be able to tell whether it's traffic from a wireless (one port) or wired (another port) connection.

As Iridis said, add separate NIC, so it would be: one for WAN, one for LAN the other one fow WLAN.
Disable DHCP on LAN.
Enable DHCP on WLAN.

Or, if You only have 2 NICs - WAN & LAN You could use IEEE 802.10 frame tagging on the LAN port and feed the trunk port to a switch that would convert it later in access mode.

I prefer the first option, it should be simpler, cheaper and more efficient.