Dhcpd: how to set gateway none to a specific client



  • I don't want to provide the default gateway for a specific machine with one mac address.

    how to set NONE for the gateway of the specific client ?

    thanks


  • LAYER 8 Global Moderator

    Didn't you ask the same question here
    https://forum.pfsense.org/index.php?topic=138347.msg756508#msg756508

    And you got your answer.. Send loopback or put in a feature request to ask for NONE to work in the reservation screen of dhcp server.



  • I don't want to send localhost as gateway/dns

    I haven't understood if it's possibile to avoid sending gateway/dns to a specific client with ISC dhcpd or it's an upstream limitation


  • LAYER 8 Global Moderator

    its not possible in the gui currently.. If you want it to be possible in the gui - then request that feature.  But you can always modify the conf file directly… Your problem being is that would be reset on reboot, upgrade of pfsense, etc.

    You have been given multiple ways to accomplish the task.  So here are you options.

    Send loopback to the client for gateway and dns via dhcpd gui
    Edit the conf file directly not to send.
    Edit the client directly and do not use dhcpd - and don't set gateway or dns
    Send it the gateway info and dns, and then just block it firewall from actually using the gateway for anything you don't want it to go to, all if that is what you want.  If handing pfsense as dns to the client you can just block the client at the firewall rules from actually getting to pfsense for dns.

    Those are you options until after the options has been added to the gui, if ever.

    Put in the feature request and wait for pfsense dev to do it
    Put in a bounty request to get someone else to do it.
    Write the code yourself and submit it, or use it on your own local install.

    Does that answer all your possible questions?

    One more option - run yoru dhcpd on something else that allows you to not send gateway and or dns to clients you don't want to send it too.

    In your conf for your specific pool or client that you dont want to send gateway remove

    option routers
    option domain-name-servers

    from that section of the conf.

    /var/dhcpd/etc/dhcpd.conf

    You could always create your own dhcpd.conf.custom file and have dhcpd load that conf vs the default one, etc.


  • Banned

    There is one more option for the default gateway, but it's only usefull if you want a "whitelist" kind of approach:

    Set the gateway to "none" in the global config, then add static leases, with the actual gateway, for all devices that should receive it.


  • LAYER 8 Global Moderator

    Good point Grimson - missed that one ;)



  • Edit the conf file directly not to send.

    :-
    I don't understand which directive to use

    my dhcpd.conf (generated by pfsense) is like this

    subnet 192.168.0.0 netmask 255.255.0.0 {
    pool {
    option domain-name-servers 192.168.0.88,151.99.0.100,151.99.125.1;
    ignore-client-uids true;

    range 192.168.2.200 192.168.2.240;
    }

    option routers 192.168.2.1;
    option domain-name-servers 192.168.0.88,151.99.0.100,151.99.125.1;

    }

    host s_lan_0 {
            hardware ethernet 00:25:22:19:0a:74;
    fixed-address 192.168.2.8;
    }

    I want to patch it
    what to add inside host s_lan_0 to prevent giving gateway and dns?


  • LAYER 8 Global Moderator

    So here is that host I handed loopback in mine

    host s_lan_3 { 
            hardware ethernet 00:0c:29:85:7d:0a;
            fixed-address 192.168.9.14;
            option routers 127.0.0.1;
            option domain-name-servers 127.0.0.1;
    }

    See how it has the option routers and dns… Just don't put anything in those options.  But leave the options in there.

    So

    host s_lan_3 { 
            hardware ethernet 00:0c:29:85:7d:0a;
            fixed-address 192.168.9.14;
            option routers ;
            option domain-name-servers ;
    }

    Should work - have not actually tested that... But that is what I would do, or atleast try first.  Have not had to edit a dhcpd.conf by hand in many many years ;)



  • @johnpoz:

    option routers ;

    Configuration file errors encountered – exiting

    It doesn't work :(



  • I assume the intent is to keep that device from reaching the Internet.  Why not assign it's MAC a specific IP address and then block that address from reaching the 'net?



  • for example one machine has three network cards and has already a default gateway on another card
    I want to give only ip and netmask to avoid problem


  • LAYER 8 Global Moderator

    Well that sort of setup is pretty borked already if you ask me…

    But anyway - I tested this.. And its not left blank just use none..  As I said I had not had to edit a dhcpd.conf in a while directly..

    So I edited that test host I was playing with to show you loopback..

    So I killed dhdpd with killall -3 dhcpd

    I then edited the dhcpd.conf

    I then restarted it.. from cmd line.. you can find your start command with..

    ps axww | grep dhcpd

    You could always create a file that does this for you and have it auto start in rc.d that loads your specific conf.. Once you do stuff like this the gui is going to overwrite stuff, etc..

    Anyway you can see I edited so its none; for your routers and dns.

    Then started dhcpd.. I then did a release and renew on that client.  You can see that it had loopback, then when I had it get a new lease it got nothing for gateway and dns.  I sniffed this traffic and you can see in the offer that router and dns was not even in the offer.

    edit:  This is a hack of a work around for sure.. I would suggest you put in a feature request on redmine to allow for none on the dhcp reservation screens.. Since it clearly takes that value as input.



Log in to reply