Did you read the interfaces file carefully? Your original config suggests not:
dhcp - Specify this option when any of # the following are true: # 1. the interface gets its IP address # via DHCP # 2. the interface is used by # a DHCP server running on the firewall # 3. you have a static IP but are on a LAN # segment with lots of Laptop DHCP # clients. # 4. the interface is a bridge with # a DHCP server on one port and DHCP # clients on another port. I think you merely needed to specify DHCP on eth1 in the interfaces file. - Bob -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bodo Meissner Sent: Thursday, October 20, 2005 5:58 AM To: leaf-user@lists.sourceforge.net Subject: [leaf-user] configuration tips: DHCP + shorewall + 2 subnets on 1 ethernet Hello all, I had some difficulties to get DHCP working on my system because of my (probably unusual) configuration. To help others who might run into the same problems I want to share my experience. In fact it's not a LEAF-Bering issue but a Shorewall configuration problem. My network configuration: Bering-uClibc with 2 ethernet cards used as Internet router, VPN router and firewall eth0 connected to ADSL modem eth1 internal network eth1 has 2 addresses and is used for 2 subnets on the same ethernet: 192.168.0.0/24 and 10.61.192.0/18 systems in 192.168.0.0/24 have access to internet systems in 10.61.192.0/18 have access to VPN I could not get DHCP working with the suggested Shorewall configuration because of the 2 network addressen on 1 interface. This is my original configuration: /etc/network/interfaces ----------------------- auto ppp0 iface ppp0 inet ppp pre-up ip link set eth0 up provider dsl-provider eth0 iface eth1 inet static address 192.168.0.254 netmask 255.255.255.0 broadcast 192.168.0.255 auto eth1:0 iface eth1:0 inet static address 10.61.192.254 netmask 255.255.192.0 network 10.61.192.0 broadcast 10.61.255.255 /etc/shorewall/zones -------------------- net Net Internet loc Local Local networks vpnh VPN-home VPN home part vpno VPN VPN office part /etc/shorewall/interfaces ------------------------- net ppp0 - routefilter,norfc1918 - eth1 detect vpno ipsec0 /etc/shorewall/hosts -------------------- loc eth1:192.168.0.0/24 vpnh eth1:10.61.192.0/18 I used the suggested rule in /etc/shorewall/rules -------------------- [...] # allow loc to fw udp/67 and udp/68 for dnsmasq's dhcpd to work ACCEPT loc fw udp 67,68 [...] This did not work. I could see DHCP requests but no replies. I tried adding an accept rule for packets from "fw" to "loc" but id did not work either. This does not work because zone "loc" is not defined in /etc/shorewall/ interfaces but in /etc/shorewall/hosts and the addresses 0.0.0.0 and 255.255.255.255 as used by DHCP are not part of the zone "loc". I added an additional zone "locbc" to make it work: /etc/shorewall/zones -------------------- net Net Internet loc Local Local networks locbc LocalBC Local network broadcast vpnh VPN-home VPN home part vpno VPN VPN office part /etc/shorewall/hosts -------------------- loc eth1:192.168.0.0/24 locbc eth1:255.255.255.255,0.0.0.0 vpnh eth1:10.61.192.0/18 /etc/shorewall/rules -------------------- [...] # allow loc to fw udp/67 and udp/68 for dnsmasq's dhcpd to work ACCEPT loc fw udp 67,68 ACCEPT fw loc udp 67,68 ACCEPT locbc fw udp 67,68 ACCEPT fw locbc udp 67,68 [...] I think, address 255.255.255.255 does not need to be in "locbc" and the rules "ACCEPT fw loc..." are not necessary, but I did not (yet) try without these. Maybe this hints can be included into some documentation or FAQ. Bodo ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
