Dhcpd: how to set gateway none to a specific client

tonysud · Oct 17, 2017, 9:41 PM

I don't want to provide the default gateway for a specific machine with one mac address.

how to set NONE for the gateway of the specific client ?

thanks

johnpoz · Oct 19, 2017, 3:46 PM

Didn't you ask the same question here
https://forum.pfsense.org/index.php?topic=138347.msg756508#msg756508

And you got your answer.. Send loopback or put in a feature request to ask for NONE to work in the reservation screen of dhcp server.

tonysud · Oct 21, 2017, 10:54 AM

I don't want to send localhost as gateway/dns

I haven't understood if it's possibile to avoid sending gateway/dns to a specific client with ISC dhcpd or it's an upstream limitation

johnpoz · Oct 21, 2017, 12:18 PM

its not possible in the gui currently.. If you want it to be possible in the gui - then request that feature. But you can always modify the conf file directly… Your problem being is that would be reset on reboot, upgrade of pfsense, etc.

You have been given multiple ways to accomplish the task. So here are you options.

Send loopback to the client for gateway and dns via dhcpd gui
Edit the conf file directly not to send.
Edit the client directly and do not use dhcpd - and don't set gateway or dns
Send it the gateway info and dns, and then just block it firewall from actually using the gateway for anything you don't want it to go to, all if that is what you want. If handing pfsense as dns to the client you can just block the client at the firewall rules from actually getting to pfsense for dns.

Those are you options until after the options has been added to the gui, if ever.

Put in the feature request and wait for pfsense dev to do it
Put in a bounty request to get someone else to do it.
Write the code yourself and submit it, or use it on your own local install.

Does that answer all your possible questions?

One more option - run yoru dhcpd on something else that allows you to not send gateway and or dns to clients you don't want to send it too.

In your conf for your specific pool or client that you dont want to send gateway remove

option routers
option domain-name-servers

from that section of the conf.

/var/dhcpd/etc/dhcpd.conf

You could always create your own dhcpd.conf.custom file and have dhcpd load that conf vs the default one, etc.

Grimson · Oct 21, 2017, 12:23 PM

There is one more option for the default gateway, but it's only usefull if you want a "whitelist" kind of approach:

Set the gateway to "none" in the global config, then add static leases, with the actual gateway, for all devices that should receive it.

johnpoz · Oct 21, 2017, 12:53 PM

Good point Grimson - missed that one ;)

tonysud · Oct 21, 2017, 1:38 PM

Edit the conf file directly not to send.

:-
I don't understand which directive to use

my dhcpd.conf (generated by pfsense) is like this

subnet 192.168.0.0 netmask 255.255.0.0 {
pool {
option domain-name-servers 192.168.0.88,151.99.0.100,151.99.125.1;
ignore-client-uids true;

range 192.168.2.200 192.168.2.240;
}

option routers 192.168.2.1;
option domain-name-servers 192.168.0.88,151.99.0.100,151.99.125.1;

}

host s_lan_0 {
hardware ethernet 00:25:22:19:0a:74;
fixed-address 192.168.2.8;
}

I want to patch it
what to add inside host s_lan_0 to prevent giving gateway and dns?

johnpoz · Oct 21, 2017, 1:49 PM

So here is that host I handed loopback in mine

host s_lan_3 {
hardware ethernet 00:0c:29:85:7d:0a;
fixed-address 192.168.9.14;
option routers 127.0.0.1;
option domain-name-servers 127.0.0.1;
}

See how it has the option routers and dns… Just don't put anything in those options. But leave the options in there.

So

host s_lan_3 {
hardware ethernet 00:0c:29:85:7d:0a;
fixed-address 192.168.9.14;
option routers ;
option domain-name-servers ;
}

Should work - have not actually tested that... But that is what I would do, or atleast try first. Have not had to edit a dhcpd.conf by hand in many many years ;)

tonysud · Oct 21, 2017, 6:43 PM

@johnpoz:

option routers ;

Configuration file errors encountered – exiting

It doesn't work :(

JKnott · Oct 21, 2017, 7:21 PM

I assume the intent is to keep that device from reaching the Internet. Why not assign it's MAC a specific IP address and then block that address from reaching the 'net?

tonysud · Oct 21, 2017, 9:46 PM

for example one machine has three network cards and has already a default gateway on another card
I want to give only ip and netmask to avoid problem

johnpoz · Oct 23, 2017, 9:28 PM

Well that sort of setup is pretty borked already if you ask me…

But anyway - I tested this.. And its not left blank just use none.. As I said I had not had to edit a dhcpd.conf in a while directly..

So I edited that test host I was playing with to show you loopback..

So I killed dhdpd with killall -3 dhcpd

I then edited the dhcpd.conf

I then restarted it.. from cmd line.. you can find your start command with..

ps axww | grep dhcpd

You could always create a file that does this for you and have it auto start in rc.d that loads your specific conf.. Once you do stuff like this the gui is going to overwrite stuff, etc..

Anyway you can see I edited so its none; for your routers and dns.

Then started dhcpd.. I then did a release and renew on that client. You can see that it had loopback, then when I had it get a new lease it got nothing for gateway and dns. I sniffed this traffic and you can see in the offer that router and dns was not even in the offer.

edit: This is a hack of a work around for sure.. I would suggest you put in a feature request on redmine to allow for none on the dhcp reservation screens.. Since it clearly takes that value as input.