同一链路上有多个子网时 DHCP 更新失败

tag-icon tag-icon debian dhcp isc-dhcp
同一链路上有多个子网时 DHCP 更新失败

我们的网络目前由同一链路上的 3 个子网组成:

  • 1.2.3.0/24 是全局子网
  • 10.1.0.0/16 用于 NAT(因为客户端数量远超 200 个)
  • 192.168.0.0/16 是“访客网络”,为未知主机提供简单的强制门户

我们的 dhcpd 主机具有以下 /etc/network/interfaces:

auto lo
iface lo inet loopback

auto eth0
allow-hotplub eth0
iface eth0 inet static
    address 1.2.3.2
    netmask 255.255.255.0
    gateway 1.2.3.1

iface eth0:1 inet static
    address 192.168.0.1
    netmask 255.255.0.0

iface eth0:2 inet static
    address 10.1.0.2
    netmask 255.255.0.0

以及这个 dhcpd.conf:

authoritative;
# option definitions common to all supported networks...
option domain-name "example.com";
option domain-search "example.com";
option domain-name-servers 8.8.8.8;
option ntp-servers 1.2.3.8;

default-lease-time 600;
max-lease-time 600;


shared-network "corp" {
  include "/etc/nat-classes.conf";

  subnet 1.2.3.0 netmask 255.255.255.0 {
    option subnet-mask 255.255.255.0;
    option broadcast-address 1.2.3.255;
    option routers 1.2.3.1;
    default-lease-time 600; 
    max-lease-time 600; 
    deny unknown-clients;
  }

  subnet 10.1.0.0 netmask 255.255.0.0 {
    option subnet-mask 255.255.0.0;
    option broadcast-address 10.1.255.255;
    option routers 10.1.0.1;
    default-lease-time 600;
    max-lease-time 600;

    include "/etc/nat-pools.conf"; # every user owns a pool of addresses
  }

  subnet 192.168.0.0 netmask 255.255.0.0 {
    pool {
      range 192.168.0.3 192.168.255.254;
      deny known-clients;
    }
    option subnet-mask 255.255.0.0;
    option broadcast-address 192.168.255.255;
    option routers 192.168.0.1;
    option domain-name-servers 192.168.0.1;
    filename "pxelinux.0";
    next-server 192.168.0.1;
    allow unknown-clients;
  }
}
# ... known host definitions ...

我们现在观察到以下情况:

  • 10.1/16 和 192.168/16 子网的 DHCP OFFER 包含 DHCP 选项 54(DHCP 服务器标识符),其中包含服务器的公共 IP 地址(1.2.3.2),此外,IP 标头具有源地址 1.2.3.2 和目标子网中的目的地址。
  • 在租约时间结束前不久,这些子网中的客户端尝试到达 1.2.3.2 进行租约续订并失败(或者他们甚至没有尝试,因为它不是其配置的子网中的地址?)
  • 至少在 Android 和 Win 10 上,这会导致短暂但严重的第 3 层断开连接。

我们知道服务器标识符根据 dhcpd.conf(5) 的选项:

The usual case where the server-identifier statement needs to be sent is
when a physical interface has more than one IP  address,  and
the  one  being  sent  by  default isn't appropriate for some or
all clients served by that interface.  Another common case is when an
alias is defined for the purpose of having a consistent IP
address for the DHCP server, and it is desired that the clients use this IP
address when contacting the server.

但是,当在所有 3 个相应的子网定义中设置此选项时,DHCP 将停止在 10.1/16 和 192.168/16 子网上工作,因为由于某种原因,DHCP OFFER(现在具有正确的源 IP 和 DHCP 服务器标识符标头)将不再到达客户端。

尽管 600 的租约时间与我们的强制门户相结合绝对不是一个安全的解决方案,但是我们如何才能使不同子网上的 DHCP 正常工作,并且让客户端在租约时间用完后立即以正确的方式发出续订?

答案1

我终于自己解决了这个问题。我们在交换机上启用了 DHCP 监听,所以我在交换机上输入了 10.1.0.2 IP 作为授权 IP,并将服务器标识符放回到配置中,瞧,它成功了!

shared-network "corp" {
  subnet 1.2.3.0 netmask 255.255.255.0 {
    server-identifier 1.2.3.2;
    # ...
  }
  subnet 10.1.0.0 netmask 255.255.0.0 {
    server-identifier 10.1.0.2;
    # ...
  }
  subnet 192.168.0.0 netmask 255.255.0.0 {
    server-identifier 192.168.0.1;
    # ...
  }
}

相关内容