# Gentoo router -> two dhcp processes possible?

## turtles

I am setting up a Gentoo firewall/router for two WAN's and two LAN's.

One of the LAN's lan0 will just be for a server that gets dedicated bandwith.

The other LAN eth0 will go to a few AP's and hub's and provide dhcp for the subnet.

wan0 is a slower static ip backup connection that may be changed to a wireless link.

wan1 is a cable modem that gets its ip from dhcp on the modem so its needs dhclient to listen for a ip address.

I would prefer to keep this ip address as static as possible and not have the dhcp client restart if the dhcpd server on eht0 restarts.

Is this possible?

I got part of it working a while back but could use some advice on getting dhcp be a client on wan1 and a server on eth0.

Also I would like /etc/init.d/dhcpd restart to not take down wan1 if possible

I tried copying /etc/innit.d.d/dhcpcd to  /etc/init.d/dhcpd.eth0

and I added a line

[ ${SVCNAME} = "dhcpd.eth0" ]

I get 

```

 * Starting dhcpd.eth0 ...

 * start-stop-daemon: failed to start `/usr/sbin/dhcpd'                                          [ !! ]

 * ERROR: dhcpd.eth0 failed to start

```

running dhcpd -d from cmd line gives me 

```
dhcpd -d 

Internet Systems Consortium DHCP Server 4.2.5-P1 Gentoo-r2

Copyright 2004-2013 Internet Systems Consortium.

All rights reserved.

For info, please visit https://www.isc.org/software/dhcp/

Wrote 0 leases to leases file.

No subnet declaration for lan0 (192.168.2.1).

** Ignoring requests on lan0.  If this is not what

   you want, please write a subnet declaration

   in your dhcpd.conf file for the network segment

   to which interface lan0 is attached. **

Listening on LPF/eth0/00:e0:4c:77:b6:a1/192.168.3.0/24

Sending on   LPF/eth0/00:e0:4c:77:b6:a1/192.168.3.0/24

No subnet declaration for wan1 (73.164.213.154).

** Ignoring requests on wan1.  If this is not what

   you want, please write a subnet declaration

   in your dhcpd.conf file for the network segment

   to which interface wan1 is attached. **

Can't bind to dhcp address: Address already in use

Please make sure there is no other dhcp server

running and that there's no entry for dhcp or

bootp in /etc/inetd.conf.   Also make sure you

are not running HP JetAdmin software, which

includes a bootp server.

This version of ISC DHCP is based on the release available

on ftp.isc.org.  Features have been added and other changes

have been made to the base software release in order to make

it work better with this distribution.

Please report for this software via the Gentoo Bugzilla site:

    http://bugs.gentoo.org/

exiting.

```

here is my config file 

```
# dhcpd.conf

#

subnet 192.168.3.0 netmask 255.255.255.0 {

  range 192.168.3.10 192.168.3.200;

}

```

in /etc/conf.d/dhcpd I set:

```
 DHCPD_IFACE="eth0"
```

Thanks in advance

----------

## szatox

So, you want to run dhcpd as a relay? Maybe better simply bridge eth0 and wan1 so clients on eth0 can simply ask that ISP's dhcp directly?

If not, there is a solution with NATed network and dhcpd providing IP from it's own arbitrary pool rather than ISP's I have employed. Obviously you can have iptables redirect incoming traffic to your server.

My solution was to split NICs into 2 services. Some of those provide net, and some provide lan instead. My setup goes like this:

eth0 that provides net (by default)

some bridges for local network that privide lan (And do NOT provide net) - those setting must be put in /etc/conf.d/net

dhcpd needs lan (and does not need net) 

So, I can:

restart eth0 to re-negotiate IP from provider

take down interfaces bridged to lan

and it will not take down dhcpd. Only taking down a bridge providing lan will.

Only taking down the bridge itself will take dhcpd down, but bridge does not "need" interfaces it enslaves.

Deppending on stuff you keep around it might be easier to have local network provide net and replace (or remove) service provided by wan interfaces. Perhaps it would be fine if you simply added wan interfaces to boot runlevel to ensure they come up before launching default. I tried the "cleaner" or "more consistent" solution - adding lan service - and i'm not sure it was worth the effort.

----------

## turtles

I like your bridging idea,  I am trying to load balance two network access points to two lans.

Here i drew a sketch of the network:

http://pastebin.com/SVShzB3f

There are 2 Wan gateways from two different ISP's

The Gentoo router will firewall and load balance the two lan's to the two wan gateways

and will provide normal router stuff on the lan eth0. I would like dhcpd to only run on eth0 assign ip's to eth0.

However wan1 is a standard residential cable modem and it is handed a dhcp address by the cable providers dhcp server.

So some type of dhclient is necessary there.

I dont want that reset if the eth0 network is restarted or dhcp is restarted

                                              

/etc/conf.d/net

```

config_eth0="192.168.3.1/24 brd 192.168.3.255"

config_lan0="192.168.2.1/24 brd 192.168.2.255"

#Cable Modem

#NOTE: modules="dhcpcd" did not work 

modules="dhcp"

dhcp_wan1="release"

config_wan1="dhcp"

#ATM/ADSL Modem with static IP 

config_wan0="my static ip" netmask 255.255.255.252"

routes_wan0="default via my static ip "

 

```

EDIT: my problem with DHCP not starting was because of dyndns misconfiguration.

I am not sure which is more efficient to run as a dhcp server.

----------

## szatox

One more thing came to my mind... How many IPs you can get from your ISP's dhcp? With this setup you need as many as servers in eth1 network +1 for router itself.

Ok, so here's a part of example config you could use. The less "consistent" but easier to manage.

/etc/conf.d/net, assuming your server network is on eth1:

```

rc_net_wan0_provide="!net" # do not provide net service

rc_net_wan1_provide="!net" # do not provide net service

config_wan1="null"

config_eth1="null"

bridge_sn0="wan1 eth1" # bind sectors attached to eth1 and wlan1 into a single network

config_sn0="dhcp" # request IP on the bridge interface, in this case it will listen to both, wan1 and eth1 traffic

```

So far so good. The problems arise when we throw iptables into that mix. It's gonna get messy. In fact I doubt binding those 2 sectors just to follup up with net filter is a good idea.. You already have dhcpd configured, right? So, let's start again with something more sensible:

/etc/conf.d/net:

 *Quote:*   

> 
> 
> config_wan1="dhcp"
> 
> config_eth0="null"
> ...

 

/etc/conf.d/dhcpd

 *Quote:*   

> 
> 
> DHCPD_IFACE="lan0" # only respond on those interfaces
> 
> rc_need="net.lan0 !net" # only depend lan0 bridge. Aka "don't blow everything up when external connection goes down"
> ...

 

At this point your wan1 sends dhcp requests to ISP's dhcp,

your eth0 and server network are connected into a single network, however I believe you will be able to prioritize traffic based on physical interface it's passing. Never tried that though. Another option is to show both interfaces to dhcpd. Downside is, if you start dhcpd with some of those interfaces incactive it will not respond to requests on that interface. If you go this way you might want to abstract physical devices with bridges (bridge lan0 for eth0 + bridge servers1 for eth1 for example), so you can hot-plug some device with dhcpd already running and not have to restart it.

Having servers and the rest on separate networks (with different address pools: you can do that specifying multiple subnets in dhcpd.conf) allows you creating DMZ in one of them, but complicates overal setup. Think about what you need.

Now, firewall and routing to servers: you can assign multiple IPs to a single interface. You can use this to redirect traffic to servers using iptables rules (and filter it in the meantime). This means, servers can have a private IP and still be accessible from the internet. You just use the IP clients at the other side of the internet know on router - and then move those packets around in the way you want. For example you can move traffic incoming on different ports to different hosts in your DMZ.

----------

## turtles

 *szatox wrote:*   

> One more thing came to my mind... How many IPs you can get from your ISP's dhcp? With this setup you need as many as servers in eth1 network +1 for router itself.
> 
> Ok, so here's a part of example config you could use. The less "consistent" but easier to manage.
> 
> /etc/conf.d/net, assuming your server network is on eth1:
> ...

 

Thank you so much for the reply, I needed that nudge to get rid of the two lans.

The problem is the cable (wlan1) isp.  It is a typical residential cable modem. the cable provider gives one ip dynamic address, the other isp gives one static ip address.

I took your advice and bridged the two lan's to one lan i call lan1.

```
#eth1 and lan0 are network cards for the lan

config_eth1="null"

config_eth0="null"

#bridge the lan network cards

bridge_lan1="lan0 eth1"

config_lan1="192.168.2.1/24 brd 192.168.2.255"

```

For the cable modem I used the 'release' option:

```
Cable Modem

#NOTE: modules="dhcpcd" did not work

modules="dhcp"

dhcp_wan1="release"

config_wan1="dhcp"

#mac needs to match for provider to not have to be called:

mac_wan1="00:08:0d:a6:e9:f8"

#mac_wan1="00:0e:a6:56:82:2b"

#config_wan1="24.21.63.45 netmask 255.255.255.0"

#routes_wan1="default via 192.168.0.1"
```

Seems to be working even after a reboot.

I set the dhcpd interface to be the bridge 

```
DHCPD_IFACE="lan1"
```

and it wont start till 192.168.2.10

so I assigned the server a static ip of 192.169.2.2

and the bridge a static ip of 192.169.2.1

 *szatox wrote:*   

> 
> 
> You can use this to redirect traffic to servers using iptables rules (and filter it in the meantime). This means, servers can have a private IP and still be accessible from the internet. You just use the IP clients at the other side of the internet know on router - and then move those packets around in the way you want. For example you can move traffic incoming on different ports to different hosts in your DMZ.

 

iptables is the way, with this test configuration so far I am only trying to use the cable modem wan1. I can reach the server from the outside but the rest of the lan cant talk to the internet as a matter of fact I have somehow told the lan to resolve every request the server   :Embarassed: 

I started with the example in the wiki and did some reading.

So I am missing something about forwarding.

iptables-save

```
# Generated by iptables-save v1.4.21 on Sun Jan 11 17:55:48 2015

*nat

:PREROUTING ACCEPT [2:397]

:INPUT ACCEPT [2:397]

:OUTPUT ACCEPT [14:992]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.2:80

-A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.2.2:443

-A PREROUTING -p tcp -m tcp --dport 1231231 -j DNAT --to-destination 192.168.2.2:324234

-A POSTROUTING -o wan1 -j MASQUERADE

-A POSTROUTING -j MASQUERADE

COMMIT

# Completed on Sun Jan 11 17:55:48 2015

# Generated by iptables-save v1.4.21 on Sun Jan 11 17:55:48 2015

*mangle

:PREROUTING ACCEPT [373:131400]

:INPUT ACCEPT [130:8413]

:FORWARD ACCEPT [330:132590]

:OUTPUT ACCEPT [122:13935]

:POSTROUTING ACCEPT [438:144608]

COMMIT

# Completed on Sun Jan 11 17:55:48 2015

# Generated by iptables-save v1.4.21 on Sun Jan 11 17:55:48 2015

*filter

:INPUT ACCEPT [17:1681]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [126:13978]

-A INPUT -i lo -j ACCEPT

-A INPUT -i lan1 -j ACCEPT

-A INPUT -d 73.164.213.154/32 -i wan1 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT

-A INPUT -d 73.164.213.154/32 -i wan1 -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp --dport 443 -j ACCEPT

-A INPUT ! -i lan1 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable

-A INPUT ! -i lan1 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable

-A INPUT -i wan1 -p tcp -m tcp --dport 324234 -j ACCEPT

-A INPUT ! -i lan1 -p tcp -m tcp --dport 0:1023 -j DROP

-A FORWARD -i lan1 -o lan1 -j ACCEPT

-A FORWARD -i wan1 -o lan1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -d 192.168.2.2/32 -p tcp -m tcp --dport 80 -j ACCEPT

-A FORWARD -d 192.168.2.2/32 -p tcp -m tcp --dport 443 -j ACCEPT

-A FORWARD -s 192.168.0.0/16 -i lan1 -j ACCEPT

-A FORWARD -s 192.168.0.0/16 -i wan1 -j ACCEPT

-A FORWARD -d 192.168.2.2/32 -p tcp -m tcp --dport 324234 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

COMMIT

# Completed on Sun Jan 11 17:55:48 2015
```

----------

## szatox

You have a policy "acceptl" almost everywhere, so rules with accept do nothing. You might want to change it to drop for a little bit of extra protection.

Also, you do have ip forwarding enabled, don't you?

# sysctl net.ipv4.ip_forward

net.ipv4.ip_forward = 1

-A FORWARD -i lan1 -o lan1 -j ACCEPT #  If packet is coming from lan1 and is going to lan1, forward it. You likely want to skip -o part

Forwarding with nat goes liek this:

iptables -A FORWARD -j ACCEPT -d 10.0.0.0/24 -m state --state ESTABLISHED,RELATED # Yup, damn old script. state has been replaced by conntrac, it doesn't change much.

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE

You might also be interested in redirecting traffic incoming to your router to another machine:

iptables -t nat -A PREROUTING -d XX.XX.XX.XX  -p udp --dport 8767 -j DNAT --to-destination 10.0.0.3:8767

You might still need some extra rule to let that incoming traffic pierce your firewall (first packet is not related to anything your firewall knows and will likely be dropped unless you accept all)

 *Quote:*   

> I set the dhcpd interface to be the bridge
> 
> Code:	
> 
> DHCPD_IFACE="lan1"	
> ...

 

I suppose you haven't fixed services (NEED and PROVIDE flags) for your networking. By default openrc is strict with resolving dependencies. This means, since dhcpd requires NET, it will not start untill everything providing NET has started. You can disavle this behaviour in openrc config or break dhcpd's dependency on interfaces it is not supposed to listen on. And it's not supposed to listen on lan0, eth1, wan0 and wan1 in your case. And yes, lan1 must have static IP here. A quick fix would be to replace dhcpd's "need net" with "need net.lan1", as it's the only interface of interest for it.

that's it for now, I likely missed a few things, but w/e, that should help you figure it out  :Smile: 

----------

