16 thoughts on - CentOS 7 Dhcpd Failure To Allow A 2nd Network Over Same Interal Nic

• Everyone,

  I am trying to set up a second internal network (192.168.0.0/24) and have not been able to get dhcp to start when I have the following in my dhcpd.conf file :

  subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.110 192.168.0.130;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.0.255;
  option routers 192.168.0.1;
  option domain-name-servers 192.168.0.1;
  }

  When i remove the above from dhcpd.conf dhcpd works perfectly

  I have my internal nic card set with two ip addresses one of which is
  192.168.0.1. the other address is my standard internal network address.

  I have also set up the domain server to allow access from
  192.168.0.0/24, and the firewall allows internal access to the same subnet.

  The error that I get is the following :

  Job for dhcpd.service failed because the control process exited with error code. See “systemctl status dhcpd.service” and “journalctl -xe” for details.

  When I evaluate journalctl -xe the following is obtained :

  dhcpd[18763]: Internet Systems Consortium DHCP Server 4.2.5
  dhcpd[18763]: Copyright 2004-2013 Internet Systems Consortium. dhcpd[18763]: All rights reserved. dhcpd[18763]: For info, please visit https://www.isc.org/software/dhcp/
  dhcpd[18763]: Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file dhcpd[18763]: Internet Systems Consortium DHCP Server 4.2.5
  dhcpd[18763]: Copyright 2004-2013 Internet Systems Consortium. dhcpd[18763]: All rights reserved. dhcpd[18763]: For info, please visit https://www.isc.org/software/dhcp/
  dhcpd[18763]: Wrote 0 deleted host decls to leases file. dhcpd[18763]: Wrote 0 new dynamic host decls to leases file. dhcpd[18763]: Wrote 2 leases to leases file. dhcpd[18763]: Interface enp0s29u1u2 matches multiple shared networks dhcpd[18763]:
  dhcpd[18763]: This version of ISC DHCP is based on the release available dhcpd[18763]: on http://ftp.isc.org. Features have been added and other changes dhcpd[18763]: have been made to the base software release in order to make dhcpd[18763]: it work better with this distribution. dhcpd[18763]:
  dhcpd[18763]: Please report for this software via the CentOS Bugs Database:
  dhcpd[18763]: http://bugs.CentOS.org/
  dhcpd.service: main process exited, code=exited, status=1/FAILURE
  dhcpd[18763]:
  systemd[1]: Failed to start DHCPv4 Server Daemon.

  When I review the information about dhcpd it appears that it can manage the ip addresses for two networks on different nic cards, but is there a problem in having it manage two networks on the same nic card?

  Does anyone have any ideas? Would sure appreciate your help.

  Can you be a little clearer in what you’re trying to do, as in the end goal you are trying to reach?

  Having dhcp for two different networks on the same physical network is just not going to work in any sane fashion…

  If you want to serve different dhcp pools to different physical networks then you could do that via vlan and trunking from the switch to the server or just ip-helper configuration on the router between the network boundaries.

• Everyone,

  I am trying to set up a second internal network (192.168.0.0/24) and have not been able to get dhcp to start when I have the following in my dhcpd.conf file :

  subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.110 192.168.0.130;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.0.255;
  option routers 192.168.0.1;
  option domain-name-servers 192.168.0.1;
  }

  When i remove the above from dhcpd.conf dhcpd works perfectly

  I have my internal nic card set with two ip addresses one of which is
  192.168.0.1. the other address is my standard internal network address.

  I have also set up the domain server to allow access from
  192.168.0.0/24, and the firewall allows internal access to the same subnet.

  The error that I get is the following :

  Job for dhcpd.service failed because the control process exited with error code. See “systemctl status dhcpd.service” and “journalctl -xe” for details.

  When I evaluate journalctl -xe the following is obtained :

  dhcpd[18763]: Internet Systems Consortium DHCP Server 4.2.5
  dhcpd[18763]: Copyright 2004-2013 Internet Systems Consortium. dhcpd[18763]: All rights reserved. dhcpd[18763]: For info, please visit https://www.isc.org/software/dhcp/
  dhcpd[18763]: Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file dhcpd[18763]: Internet Systems Consortium DHCP Server 4.2.5
  dhcpd[18763]: Copyright 2004-2013 Internet Systems Consortium. dhcpd[18763]: All rights reserved. dhcpd[18763]: For info, please visit https://www.isc.org/software/dhcp/
  dhcpd[18763]: Wrote 0 deleted host decls to leases file. dhcpd[18763]: Wrote 0 new dynamic host decls to leases file. dhcpd[18763]: Wrote 2 leases to leases file. dhcpd[18763]: Interface enp0s29u1u2 matches multiple shared networks dhcpd[18763]:
  dhcpd[18763]: This version of ISC DHCP is based on the release available dhcpd[18763]: on http://ftp.isc.org. Features have been added and other changes dhcpd[18763]: have been made to the base software release in order to make dhcpd[18763]: it work better with this distribution. dhcpd[18763]:
  dhcpd[18763]: Please report for this software via the CentOS Bugs Database:
  dhcpd[18763]: http://bugs.CentOS.org/
  dhcpd.service: main process exited, code=exited, status=1/FAILURE
  dhcpd[18763]:
  systemd[1]: Failed to start DHCPv4 Server Daemon.

  When I review the information about dhcpd it appears that it can manage the ip addresses for two networks on different nic cards, but is there a problem in having it manage two networks on the same nic card?

  Does anyone have any ideas? Would sure appreciate your help.

  Can you be a little clearer in what you’re trying to do, as in the end goal you are trying to reach?

  Having dhcp for two different networks on the same physical network is just not going to work in any sane fashion…

  If you want to serve different dhcp pools to different physical networks then you could do that via vlan and trunking from the switch to the server or just ip-helper configuration on the router between the network boundaries.

  James,

  Sorry about the clarity… I will try again. The man pages and examples in CentOS 7 demonstrate the ability to have two networks on the same dhcpd server, but I did not identify specifically identify that any reference to having both networks on one network card. So far you are obviously correct that this can not be done.

  I am trying to use a wireless router as an adjunct to my home network. I would like to be able to have public network ip addresses assigned from my dhcpd server that are in a different subnet from other the machines in my home. I thought this would be possible but apparently not. I could have the wireless router assign separate subnet ip addresses but, then I would not be able to access the home subnet machines with my wireless connected laptop.

  Is there any way to be able to have two networks work off of one nic card with dhcpd?

  Greg

• Everyone,

  I am trying to set up a second internal network (192.168.0.0/24) and have not been able to get dhcp to start when I have the following in my dhcpd.conf file :

  subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.110 192.168.0.130;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.0.255;
  option routers 192.168.0.1;
  option domain-name-servers 192.168.0.1;
  }

  When i remove the above from dhcpd.conf dhcpd works perfectly

  I have my internal nic card set with two ip addresses one of which is
  192.168.0.1. the other address is my standard internal network address.

  I have also set up the domain server to allow access from
  192.168.0.0/24, and the firewall allows internal access to the same subnet.

  The error that I get is the following :

  Job for dhcpd.service failed because the control process exited with error code. See “systemctl status dhcpd.service” and “journalctl -xe” for details.

  When I evaluate journalctl -xe the following is obtained :

  dhcpd[18763]: Internet Systems Consortium DHCP Server 4.2.5
  dhcpd[18763]: Copyright 2004-2013 Internet Systems Consortium. dhcpd[18763]: All rights reserved. dhcpd[18763]: For info, please visit https://www.isc.org/software/dhcp/
  dhcpd[18763]: Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file dhcpd[18763]: Internet Systems Consortium DHCP Server 4.2.5
  dhcpd[18763]: Copyright 2004-2013 Internet Systems Consortium. dhcpd[18763]: All rights reserved. dhcpd[18763]: For info, please visit https://www.isc.org/software/dhcp/
  dhcpd[18763]: Wrote 0 deleted host decls to leases file. dhcpd[18763]: Wrote 0 new dynamic host decls to leases file. dhcpd[18763]: Wrote 2 leases to leases file. dhcpd[18763]: Interface enp0s29u1u2 matches multiple shared networks dhcpd[18763]:
  dhcpd[18763]: This version of ISC DHCP is based on the release available dhcpd[18763]: on http://ftp.isc.org. Features have been added and other changes dhcpd[18763]: have been made to the base software release in order to make dhcpd[18763]: it work better with this distribution. dhcpd[18763]:
  dhcpd[18763]: Please report for this software via the CentOS Bugs Database:
  dhcpd[18763]: http://bugs.CentOS.org/
  dhcpd.service: main process exited, code=exited, status=1/FAILURE
  dhcpd[18763]:
  systemd[1]: Failed to start DHCPv4 Server Daemon.

  When I review the information about dhcpd it appears that it can manage the ip addresses for two networks on different nic cards, but is there a problem in having it manage two networks on the same nic card?

  Does anyone have any ideas? Would sure appreciate your help.

  Can you be a little clearer in what you’re trying to do, as in the end goal you are trying to reach?

  Having dhcp for two different networks on the same physical network is just not going to work in any sane fashion…

  If you want to serve different dhcp pools to different physical networks then you could do that via vlan and trunking from the switch to the server or just ip-helper configuration on the router between the network boundaries.

  James,

  Sorry about the clarity… I will try again. The man pages and examples in CentOS 7 demonstrate the ability to have two networks on the same dhcpd server, but I did not identify specifically identify that any reference to having both networks on one network card. So far you are obviously correct that this can not be done.

  I am trying to use a wireless router as an adjunct to my home network. I would like to be able to have public network ip addresses assigned from my dhcpd server that are in a different subnet from other the machines in my home. I thought this would be possible but apparently not. I could have the wireless router assign separate subnet ip addresses but, then I would not be able to access the home subnet machines with my wireless connected laptop.

  Is there any way to be able to have two networks work off of one nic card with dhcpd?

  Greg
  ======================================================================
  I have not been able to make any headway resolving this problem;
  Finally decided to file a bug report on this that I hope is more clear than the above description :

  https://bugs.CentOS.org/view.php?id658

  Greg

• Personally, I don’t understand how you expect the DHCP server to decide which scope to use when a new connection appears on the network.

  DHCP discovery queries are presented from 0.0.0.0 to 255.255.255.255, not to a particular network’s broadcast address.

  I’d be interested to see what happens when one of your 10.x.x.x nodes reaches half time or lease expiration and tries to renew its IP. I tend to think it would then be offered an address from the 192.168.0.x scope instead, if it’s currently offering those to the wireless connections.

• Date: Sun, 15 Jan 2017 11:57:35 -0500

  Personally, I don’t understand how you expect the DHCP server to decide which scope to use when a new connection appears on the network.

  DHCP discovery queries are presented from 0.0.0.0 to 255.255.255.255, not to a particular network’s broadcast address.

  I’d be interested to see what happens when one of your 10.x.x.x nodes reaches half time or lease expiration and tries to renew its IP. I tend to think it would then be offered an address from the 192.168.0.x scope instead, if it’s currently offering those to the wireless connections.

  ————————————————————

• You can, provided they’re on different physical interfaces.

  I’m mostly certain you can have two DHCP scopes on one physical interface, provided that the DHCP server itself only has addresses on one of them. That is, if eth0 has 192.168.1.9 and only that address, you should be able to offer addresses for 192.168.1.0/24 and also
  192.168.2.0/24 on that interface. Any host you want to assign an address in 192.168.2.0/24 will have to be manually added to that subnet with a “host” entry in dhcpd.conf. Otherwise, imagine that you have an Ethernet LAN that includes a WAP. When the DHCP server gets a request from a new host, how does it know whether that client is on Ethernet or WiFi? There’s no indication in the request the server receives that indicates which media the client is using.

  However, attaching two IP subnets to the same broadcast domain is usually a bad idea. Networks are typically segregated for one of two reasons: either to establish access controls or to reduce traffic to improve service. You’ll accomplish neither. Hosts on each subnet won’t be able to communicate with each other directly, but they will all see all of the address discovery traffic broadcast on the network. A host that wanted to communicate with a host in another subnet could simply add a new address manually and bypass any access controls that the router had in place. Worse, because any communication you *do* want to allow has to pass to the router and then be sent back out the same network interface, you’ve actually doubled the amount of traffic on your LAN.

  Having multiple subnets on a single broadcast domain can be an interesting, inexpensive way to experiment with access control or simulate multihosting, but you don’t want to do it for any longer than is necessary for experimental purposes.

• You can, provided they’re on different physical interfaces.

  I’m mostly certain you can have two DHCP scopes on one physical interface, provided that the DHCP server itself only has addresses on one of them. That is, if eth0 has 192.168.1.9 and only that address, you should be able to offer addresses for 192.168.1.0/24 and also
  192.168.2.0/24 on that interface. Any host you want to assign an address in 192.168.2.0/24 will have to be manually added to that subnet with a “host” entry in dhcpd.conf. Otherwise, imagine that you have an Ethernet LAN that includes a WAP. When the DHCP server gets a request from a new host, how does it know whether that client is on Ethernet or WiFi? There’s no indication in the request the server receives that indicates which media the client is using.

  However, attaching two IP subnets to the same broadcast domain is usually a bad idea. Networks are typically segregated for one of two reasons: either to establish access controls or to reduce traffic to improve service. You’ll accomplish neither. Hosts on each subnet won’t be able to communicate with each other directly, but they will all see all of the address discovery traffic broadcast on the network. A host that wanted to communicate with a host in another subnet could simply add a new address manually and bypass any access controls that the router had in place. Worse, because any communication you *do* want to allow has to pass to the router and then be sent back out the same network interface, you’ve actually doubled the amount of traffic on your LAN.

  Having multiple subnets on a single broadcast domain can be an interesting, inexpensive way to experiment with access control or simulate multihosting, but you don’t want to do it for any longer than is necessary for experimental purposes.

  —————————————————————–

• Probably, but if you’re trying to restrict access, you need to be clear about how you’re going to achieve that. If your router only has one internal interface, it may be difficult to achieve.

  If you have two WAPs behind your router, with one in bridging mode
  (therefore getting addresses from your CentOS DHCP server) and the other in NAT or routing mode, you will have effectively segregated the two.
  However, systems behind the NAT/routing WAP would still typically have access to the other subnet. You’d need to not only have the untrusted clients behind a WAP of their own, but that WAP would need to allow you to specify firewall rules for outbound traffic. That’s not a feature present on most consumer devices.

• Date: Sun, 15 Jan 2017 14:05:37 -0800

  Probably, but if you’re trying to restrict access, you need to be clear about how you’re going to achieve that. If your router only has one internal interface, it may be difficult to achieve.

  If you have two WAPs behind your router, with one in bridging mode
  (therefore getting addresses from your CentOS DHCP server) and the other in NAT or routing mode, you will have effectively segregated the two.
  However, systems behind the NAT/routing WAP would still typically have access to the other subnet. You’d need to not only have the untrusted clients behind a WAP of their own, but that WAP would need to allow you to specify firewall rules for outbound traffic. That’s not a feature present on most consumer devices.

  =================================================================
  Gordan,

  You have been very beneficial in helping me understand this process. Thank you very much.

  Greg

• you’d be better off with a single Wireless Access Point (not router)
  that has support for a guest network, and requires authentication for connecting to the secure network. I have a couple Ubquiti UniFi AP’s that support this (not that I’ve configured them that way as I don’t need

  these guest networks function best if you have a switch and router that supports VLANs

• VLANs are your friend, otherwise DHCPD is not going to understand how to properly answer your request for different networks on the same interface.

  —– | Everyone,
  |
  | I am trying to set up a second internal network (192.168.0.0/24) and
  | have not been able to get dhcp to start when I have the following in my
  | dhcpd.conf file :
  |
  | subnet 192.168.0.0 netmask 255.255.255.0 {
  | range 192.168.0.110 192.168.0.130;
  | option subnet-mask 255.255.255.0;
  | option broadcast-address 192.168.0.255;
  | option routers 192.168.0.1;
  | option domain-name-servers 192.168.0.1;
  | }
  |
  | When i remove the above from dhcpd.conf dhcpd works perfectly
  |
  | I have my internal nic card set with two ip addresses one of which is
  | 192.168.0.1. the other address is my standard internal network address.
  |
  | I have also set up the domain server to allow access from
  | 192.168.0.0/24, and the firewall allows internal access to the same
  | subnet.
  |
  | The error that I get is the following :
  |
  | Job for dhcpd.service failed because the control process exited with error code.
  | See “systemctl status dhcpd.service” and “journalctl -xe” for details.
  |
  | When I evaluate journalctl -xe the following is obtained :
  |
  | dhcpd[18763]: Internet Systems Consortium DHCP Server 4.2.5
  | dhcpd[18763]: Copyright 2004-2013 Internet Systems Consortium.
  | dhcpd[18763]: All rights reserved.
  | dhcpd[18763]: For info, please visit https://www.isc.org/software/dhcp/
  | dhcpd[18763]: Not searching LDAP since ldap-server, ldap-port and
  | ldap-base-dn were not specified in the config file
  | dhcpd[18763]: Internet Systems Consortium DHCP Server 4.2.5
  | dhcpd[18763]: Copyright 2004-2013 Internet Systems Consortium.
  | dhcpd[18763]: All rights reserved.
  | dhcpd[18763]: For info, please visit https://www.isc.org/software/dhcp/
  | dhcpd[18763]: Wrote 0 deleted host decls to leases file.
  | dhcpd[18763]: Wrote 0 new dynamic host decls to leases file.
  | dhcpd[18763]: Wrote 2 leases to leases file.
  | dhcpd[18763]: Interface enp0s29u1u2 matches multiple shared networks
  | dhcpd[18763]:
  | dhcpd[18763]: This version of ISC DHCP is based on the release available
  | dhcpd[18763]: on http://ftp.isc.org. Features have been added and other
  | changes
  | dhcpd[18763]: have been made to the base software release in order to
  | make
  | dhcpd[18763]: it work better with this distribution.
  | dhcpd[18763]:
  | dhcpd[18763]: Please report for this software via the CentOS Bugs
  | Database:
  | dhcpd[18763]: http://bugs.CentOS.org/
  | dhcpd.service: main process exited, code=exited, status=1/FAILURE
  | dhcpd[18763]:
  | systemd[1]: Failed to start DHCPv4 Server Daemon.
  |
  | When I review the information about dhcpd it appears that it can manage
  | the ip addresses for two networks on different nic cards, but is there a
  | problem in having it manage two networks on the same nic card?
  |
  | Does anyone have any ideas? Would sure appreciate your help.
  |
  | Greg Ennis
  |
  |
  |
  |

• Here’s an idea – untested. set up a network on the single nic – say 192.168.55.xx/24
  set up the dhcp to offer leases from a subset of this network – say
  192.168.55.128/28
  set up fixed leases based upon mac address from the remainder of the network – i.e. outside the subset above – e.g. 192.168.55.1/28
  then route / firewall as required – i.e. trusted known mac address hence IP address allowed vs unknown guest given an IP address we can block or otherwise handle. As indicated, this is not tested but if memory serves, dhcpd will allow this kind of allocation. HTH
  Rob

• the untrusted wireless users will be able to access other LAN machines without going through the firewall.

• surely that depends upon the subnet they operate on (i.e the subnet mask in old vernacular) – the two I show above are mutually exclusive but can both talk to the server.

• you can’t mix subnets like that. it just won’t work. the local broadcast address for the /24 isn’t in either of your /28’s, and what do the two /28’s use for their default gateway ?

• Be careful about expecting VLANs to provide security. VLANs are for traffic management are not directly a security tool. They might be useful in a carefully designed security model.

  I do something like this (although FreeBSD is my dhcp server) only I
  do like the original proposal, two addresses on the DHCP server and both subnets configured. Part of my dhcp configuration includes:

  shared-network shared {
  # Primary subnet
  subnet 192.168.30.0 netmask 255.255.255.0 {
  option routers 192.168.30.1;
  max-lease-time 86400;
  default-lease-time 86400;
  authoritative;

  range 192.168.30.48 192.168.30.59;
  }

  # Secondary subnet
  subnet 192.168.40.0 netmask 255.255.255.0 {
  option routers 192.168.40.1;
  max-lease-time 86400;
  default-lease-time 86400;
  authoritative;
  }
  } # end of shared-network shared

  host ip-phone-1 {
  hardware ethernet 00:0b:82:xx:xx:xx;
  ## fixed-address 192.168.30.129;
  fixed-address 192.168.40.129;
  }

  There are other things necessary to make this all work. I also have a FreeBSD system acting as a router between the subnets and my ISP
  connection. I also have a caching dns service on both subnets (I
  didn’t include the dns related configuration in the example above).

  As others have suggested, this also is NOT a security technique. The systems in each address space will have access to systems in the other address space even without a router. I don’t distinguish between trusted and untrusted networks, I assume all are untrusted and secure the systems themselves as needed.

  Stuart