# dhcpd.conf for private/guest networks

## Nerevar

I'm trying to setup dhcpd for my private and guest networks. My "trusted" clients get a 1.x address and are able to connect to the internet. My guest clients do get a 10.x address as desired but they are unable to connect to the internet.

Is there some other routing option I can set or is this kind of segmentation impossible with net-misc/dhcp?

```
authoritative;

class "trusted" {

    match hardware;

}

subclass "trusted" 1:XX:XX:XX:XX:XX:XX; # pc 1

subclass "trusted" 1:XX:XX:XX:XX:XX:XX; # pc 2

subclass "trusted" 1:XX:XX:XX:XX:XX:XX; # pc 3

subclass "trusted" 1:XX:XX:XX:XX:XX:XX; # mobile 1

subclass "trusted" 1:XX:XX:XX:XX:XX:XX; # mobile 2

subclass "trusted" 1:XX:XX:XX:XX:XX:XX; # mobile 3

subclass "trusted" 1:XX:XX:XX:XX:XX:XX; # mobile 4

subnet 192.168.0.0 netmask 255.255.0.0 {

    option domain-name-servers 192.168.1.2, 208.67.222.222, 208.67.220.220;

    option interface-mtu 1492;

    option routers 192.168.1.1;

    option subnet-mask 255.255.255.0;

    pool {

        allow members of "trusted";

        default-lease-time 3600;

        max-lease-time 14400;

        option broadcast-address 192.168.1.255;

        range 192.168.1.50 192.168.1.200;

    }

    pool {

        default-lease-time 600;

        max-lease-time 3600;

        option broadcast-address 192.168.10.255;

        range 192.168.10.50 192.168.10.200;

    }

}
```

Note that I tried doing this with multiple subnets as well. That also had the same issue.

Thanks!

----------

## NeddySeagoon

Nerevar,

What is the output of 

```
ifconfig
```

 and 

```
route
```

?

----------

## Nerevar

Hi Neddy,

ifconfig:

```
wlo1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX  

          inet addr:192.168.10.50  Bcast:192.168.10.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1492  Metric:1

          RX packets:11749 errors:0 dropped:0 overruns:0 frame:0

          TX packets:10126 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:11698479 (11.6 MB)  TX bytes:1383162 (1.3 MB)
```

route:

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         192.168.1.1     0.0.0.0         UG    600    0        0 wlo1

link-local      *               255.255.0.0     U     1000   0        0 wlo1

192.168.1.1     *               255.255.255.255 UH    600    0        0 wlo1

192.168.1.2     192.168.1.1     255.255.255.255 UGH   600    0        0 wlo1

192.168.10.0    *               255.255.255.0   U     600    0        0 wlo1
```

Thank you!

----------

## NeddySeagoon

Nerevar,

You only have a single IP address on, wlo1 192.168.10.50 which comes from your untrusted pool.

Route shows

```
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         192.168.1.1     0.0.0.0         UG    600    0        0 wlo1
```

which is good, as you can at most have a single default route.

```
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.10.0    *               255.255.255.0   U     600    0        0 wlo1
```

allows everything on 192.168.10.0/24 to talk among themselves but the internet gateway is at 192.168.1.1, so cannot be reached.

You can try 

```
route add default gw 192.168.1.1
```

but I suspect that the kernel will complain that it can't reach 192.168.1.1.

Somewhere you need a static route between the two subnets.  I guess you didn't want to do that.  

What do you want to achieve?

I have two separate interfaces for my trusted and untrusted subnets, so that they are physically separated. 

Both are NATed to the internet.

----------

## Nerevar

 *NeddySeagoon wrote:*   

> Nerevar,
> 
> What do you want to achieve?
> 
> 

 

Ultimately I'd like to be able to configure a firewall that prevents the untrusted network from reaching the trusted devices (except for the router/dns/dhcp PC). I would like to do this by forcing the untrusted network to a separate ip range if possible but it looks like it's going to take a firewall configuration utilizing MAC addresses.

Edit: You're correct, the 10.x PCs can't ping 192.168.1.1 (they can ping 192.168.1.2). So, that's why they can't get to the Internet.

----------

## NeddySeagoon

Nerevar,

How is your ASCII art, or a photo of a sketch works.

Draw out the systems and interfaces in your network.

Your router, one trusted and one untrusted system will do, with the IPs they have on all interfaces.

Your public IP on the internet is not required.  Just those that start 192.

Post the output of route from those systems.

----------

## Nerevar

Hi Neddy,

I just wanted to say thanks for all your input. It was very much appreciated. You're really awesome on here and have taught so many of us so much!

Regarding this problem, I was able to get what I wanted working in a completely different way following this tutorial:

https://www.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners

Best Regards,

Nerevar

----------

