Add static route with netmask to DHCP

PugTsurani

New Member

Reaction score: 1
Messages: 13

Using @kpa's excellent [post=33849]post[/post], I set[]up a DHCP and dynamic DNS server locally. I then added the security/openvpn for external access. I'm running openvpn-2.3.1 configured as a routing (dev tun) VPN server. This works great when connecting to the VPN server but doesn't work when connecting to other computers (SSH, HTTP, ping, etc.). That's because the OpenVPN docs state a route on the server-side LAN needs to be set[]up: http://openvpn.net/index.php/open-source/documentation/howto.html
Including multiple machines on the server side when using a routed VPN (dev tun)
Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines).

I have a similar setup in a remote office where DHCP and DNS is served from a Netgear router. I can add a static route to the Netgear router for the VPN traffic and it works as expected. I'd like to eventually move the DHCP and DNS services to the FreeBSD server along with OpenVPN.

How can I specify a static route in the net/isc-dhcp42-server 4.2.5 configuration? From my research, DHCP does not officially support static routes and the option static-routes in dhcpd.conf(5) does not support netmasks. This post is exactly what I want to do. The basic answer given to everyone (including that post) is that the "routers will just know the correct route." That assumes, however, you have a true router that implements at least one routing protocol. The two routers I have at my disposal are the Netgear WNDR4500 and Asus RT-N56U. Both support static routes as long as they are serving the DHCP, but if they are not serving the DHCP requests, their static routes are not sent to the clients. Hence, I need to implement static routes from the FreeBSD DHCP responses.

The last post at the bottom of the discussion linked above provided this link to add classless static routes to the DHCP configuration: http://ignoresysprereqs.blogspot.com/2011/05/dhcpd-ruteo-estatico-sin-clase-dhcpd.html If you don't speak spanish, you might need Google Translate. Here's the configuration suggested.
Code:
# # Classless Static Routing definitions
# For the OS that meet the RFC3442 
rfc_routes option code 121 = array of integer 8; 
# For the OS that do NOT meet the RFC3442 (M $) 
no_rfc_routes option code 249 = array of integer 8;

# # Classless Static Routing 
# For the OS that meet the RFC3442 
rfc_routes option 32, 0, 0, 0, 0, 192.168, 1, 1, 
32, 192.168, 50, 25, 192.168, 1, 2, 
24, 192.168, 20, 192.168, 1, 2; 
# For the OS that do NOT meet the RFC3442 (M $) 
no_rfc_routes option 32, 0, 0, 0, 0, 192.168, 1, 1, 
32, 192.168, 50, 25, 192.168, 1, 2, 
24, 192.168, 20, 192.168, 1, 2;

Googling {dhcpd "no_rfc_routes"} yielded only two pages, both from the domain of the post above. Googling {dhcpd "rfc_routes"} yields more results but the information is inconsistent I.e. it doesn't match the previous post. After reading some more, I realize now I need to Google {"dhcpd.conf" "rfc3442-classless-static-routes"} and use any of the numerous examples.

I'm in support and a big believer in documentation. If something is documented, there's no reason to ask for help because you should be able to follow the documentation (RTFM). I'm dismayed and bewildered why this option is not documented in dhcpd.conf(5), dhcpd-options(5), FreeBSD's website or ISC's website. RFC3442 explains the protocol specification but not the configuration syntax. Does anyone know where this is documented?

Writing this post helped me work through my problem and rather than deleting it, I'm posting it in case it helps other people. For those wanting to implement static routes with netmasks in ISC's DHCP implementation, rather than searching for {dhcpd static route netmask} or similar, try searching for obscure keywords like {rfc3442}, {"code 121"} or {"dhcpd.conf" "rfc3442-classless-static-routes"}. Beware, MS did not adhere to the standard and you'll want to search for {"dhcpd.conf" "ms-classless-static-routes"}.
 
Last edited by a moderator:

throAU

Aspiring Daemon

Reaction score: 149
Messages: 910

To add to the above, not only did Microsoft not adhere to standards, there are two different DHCP options within the Microsoft environment for specifying static routes.

If you have Windows client machines, you'll need to configure either or both option 121 (looks like this is RFC compliant? Windows 2008, Windows Vista and later) and 249 (previous) to get those operating systems to add the static routes.

ref: http://tmgblog.richardhicks.com/2009/01/08/using-dhcp-to-assign-static-routes/
 
OP
P

PugTsurani

New Member

Reaction score: 1
Messages: 13

@throAU. I have not tested Windows XP but need to. Now that I've worked through all the nuances, here's what I found.

Windows (only tested Windows 7) works as expected and added the default route correctly.

Linux (Linux Mint 12 Lisa) didn't adhere to the standard and correctly added the default route.

FreeBSD adhere'd to the standard and didn't add the default route specified in option routers. I found this wonderful post that referenced the specific test in the standard, copied here for posterity.
http://tools.ietf.org/html/rfc3442
If the DHCP server returns both a Classless Static Routes option and
a Router option, the DHCP client MUST ignore the Router option.

Mac OS X doesn't implement RFC3442. See https://discussions.apple.com/thread/1757618?start=0&tstart=0 and http://stackoverflow.com/questions/316574/dhcp-setting-in-mac-os-x. This is not an issue for me since my Mac will be with me when I travel and RFC3442 is only to provide routing for OpenVPN access.


Any number of routes can be added to the RFC3442 option provided it doesn't cause the DHCP packet to exceed the maximum size on your network. This post has 31 routes. As mentioned above, the default route has to be added because the specification states only option routers or option rfc3442-classless-static-routes should be used, not both. Here are the relevant parts of /usr/local/etc/dhcpd.conf to implement classless static routes.
Code:
# Option to add static routes with netmask
# RFC3442 routes: overrides routers option
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
# MS routes: adds extras to supplement routers option
option ms-classless-static-routes code 249 = array of unsigned integer 8;

# Local subnet
subnet 172.16.0.0 netmask 255.255.255.0 {
        range 172.16.0.151 172.16.0.199;
        option routers 172.16.0.1;
        option broadcast-address 172.16.0.255;

        # Static route for OpenVPN
        # Classless static routes overrides default route (option routers)
        # Default route needs to be added to the classless static routes
        option rfc3442-classless-static-routes 24, 10,8,0, 172,16,0,10,  0, 172,16,0,1;
        option ms-classless-static-routes      24, 10,8,0, 172,16,0,10,  0, 172,16,0,1;
}
 
Last edited by a moderator:
Top