Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Do you use your routers DHCP?
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  

Do you use your routers' DHCP
Yes, I use my routers' DHCP
54%
 54%  [ 17 ]
No, I run a seperate server hosted by a Gentoo box.
29%
 29%  [ 9 ]
Other (please elucidate)
16%
 16%  [ 5 ]
Total Votes : 31

Author Message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 3189
Location: Illinois, USA

PostPosted: Fri Apr 26, 2019 11:43 pm    Post subject: Do you use your routers DHCP? Reply with quote

Googling about, it seems like the general advice is it use your router's DHCP unless you run a business. Then they advise running a Win 10 server! No one mentions Linux. I'm wondering if it's advisable to shut off my router's DHCP and add a DHCP server on my central server box that already hosts my DNS server (DNSmasq). I'm curious as to what other Gentoo denizens do. This is a home system, but I restrict access by MAC (yes, I know it's supposed to be ineffective but I'm hoping my threats are not that sophisticated).
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7232
Location: almost Mile High in the USA

PostPosted: Sat Apr 27, 2019 12:00 am    Post subject: Reply with quote

For home use, and you don't run a 24/7 server that has at least a little redundancy, you're probably better off running your DHCP server on the same machine that deals with your network - and that's usually your router. That way if the router fails, who cares if your DHCP server fails with it. In your case if you're also depending on DNSmasq it may make sense to run them on the same machine to keep them synchronized, though some routers have DHCP servers that modify their local DNS.

I ended up dabbling back to using a pfSense router/firewall dealing with DHCP on a VM because I have machines on both public/static IP and local/DHCP, at least some of the machines will work without dealing with a failed DHCP server as the public IP machines do not go through the firewall.

I may reconfigure some more when I figure out how to reliably work with pfSense as it would be nice for it to meter all packets - but then I'd have to think about failover or somehow increase the reliability of the pfSense machine as I've had pfSense fail, taking down that subnet.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Dr.Willy
Guru
Guru


Joined: 15 Jul 2007
Posts: 500
Location: NRW, Germany

PostPosted: Sat Apr 27, 2019 9:12 am    Post subject: Reply with quote

Uhhh, I run an OpenWRT router sooo … router or linux-server? why not both?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43754
Location: 56N 3W

PostPosted: Sat Apr 27, 2019 12:38 pm    Post subject: Reply with quote

Tony0945,

I'm not sure how to answer, but its a bit of both, or even all three.

I don't have a physical router ... well I do because I changed by broadband contract an the ISP sent me one. Its still lying in its box, unopened.

My router is a Gentoo KVM.
It runs a dhcp server for a few things. Wifi, which is on its own subnet. A few things on wired too but the systems I use all have static IPv4 setups. I need that to get to routers bare metal host when the router falls over.
The DMZ has to be static. I could use dhcp to bind IP addesses to MAC addresses but security demands that you don't run anything you don't need.
Its the old adage of the wider you open the window, the more dirt blows in.

IPv6 is different, you don't run a dhcp server. Well you can but that's probably doing it wrong. You run a router advertisement daemon and it all just works. Most of the time.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 3189
Location: Illinois, USA

PostPosted: Sat Apr 27, 2019 1:24 pm    Post subject: Reply with quote

NeddySeagoon, I had previously set up my old k6-3 computer as a router following the wiki, but the ISP had conniptions, sending me e-mail about "foreign device" on their network. I think that may be because the MAC address changed. I do own my own router, a DLINK DIR-655, but I no longer use it for DNS.
Way back in the dawn of time, I had an ISP provided gateway and I had to register my cable modem and router with the ISP. They told me to change the router's MAC to match the old gateway. I probably should have done that with the old k6-3. Anyway, I got some strange things happening and I really didn't understand what I was doing with iptables, just following the wiki by rote. I know you use shorewall and I emerged that but it was more un-understandable than iptables. I'm intrigued by your and 1clue's use of a separate address space and NIC for wifi, which would settle my qualms about IOT snooping. I thought of starting a chat post about that. Just this morning, I got an e-mail from Newegg pushing routers and was intrigued by the Ubiquiti ER-4-US which is a router with no wifi or switch, just a plain configurable router. wuth eth0 and eth1. From the user comments:
Quote:

A standard expensive "router" is actually three things at once: a router, a switch, and a wireless access point. When one device serves all these purposes. a problem with one of them can create a problem for all of them. Resetting your Wi-Fi disrupts the entire network. A heavy CPU demand by one service will slow down the other services.

Splitting them in three allows each device to be devoted to its own task. The ER-4 routes and that is all; the R7000 is now an access point and a lot faster and more reliable than previously; a Cisco SG112-24 switch deals with the LAN traffic; and also a raspberry pi is running a pi-hole DHCP server. Everything works much faster and more reliably than before. Troubleshooting no longer holds the entire network hostage.

This router is extremely fast, highly customizable (including robust CLI support if you desire), and relatively user-friendly. Bufferbloat is essentially gone. My network is a well-oiled machine. If you use the internet like most of us do, this thing is worth it.

Cons: Out of the box, I could not access the GUI and the router didn't respond to pings. A few factory resets fixed the problem. More documentation would be helpful for a tech-comfortable but still beginner like me.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7167

PostPosted: Sat Apr 27, 2019 1:35 pm    Post subject: Reply with quote

for all that is wired i don't use dhcp, all static
for wireless devices, i use router dhcp with a limited range (10 ips)
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4258
Location: Dallas area

PostPosted: Sat Apr 27, 2019 1:49 pm    Post subject: Reply with quote

Pretty much the same as, krinn.

Wired are static, wifi I let dhcp handle.

ETA:
To add, to my above, my main gentoo box is up 24x7, it is on the dmz, with a proper firewall.
I run bind and have the other systems in the house use me for dns resolution.
I have one other box that's a mini-web server for a few friends, that gets a port redirect from the router (otherwise it's shut off from the internet)
The router is set up for no incoming internet, other than the web port mentioned and a port for the home video surveillance system.

I guess I could handle all dhcp serving, but I'm not that paranoid ... yet. :lol:

It's been a while, but I used to run a complete port scan every so often, guess I've gotten blase in my old age.
_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon


Last edited by Anon-E-moose on Sat Apr 27, 2019 5:25 pm; edited 1 time in total
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 7256
Location: Saint Amant, Acadiana

PostPosted: Sat Apr 27, 2019 2:55 pm    Post subject: Reply with quote

Same as krinn, with 20 addresses for guests using DHCP.
_________________
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
berferd
Tux's lil' helper
Tux's lil' helper


Joined: 13 May 2004
Posts: 117

PostPosted: Sat Apr 27, 2019 3:19 pm    Post subject: Reply with quote

Tony0945 wrote:
Anyway, I got some strange things happening and I really didn't understand what I was doing with iptables...

I had a painful flashback to writing sendmail.cf files by hand the first time I saw an iptables rules file. Here's what I have to say about that:
https://www.youtube.com/watch?v=YxYvzVxJtYM

I use Openbsd on my firewall. The pf.conf(5) syntax is positively easy by comparison.

My wifi access point is bridged onto my wired LAN. All clients wired and wireless get their IP addresses from isc-dhcp running on my Gentoo server. I do dynamic updates to BIND running on the same host because once upon a time I was really anal about hosts and IP addresses resolving and reverse-resolving properly. The firewall is a secondary DNS server (also BIND), but is listed as the first resolver in the DHCP config. This is so I can reboot the Gentoo box without causing an Internet outage.

Unfortunately this is an old-school crunchy on the outside and soft and gooey on the inside network setup. I've become weak in my old age and have actually allowed some devices I didn't assemble myself on to my network. Besides, providing wifi Internet access to your guests has become basic hospitality in the 21st century. This means any number of random phones with random vendored Android versions floating around in my soft and gooey network. That, plus DNS rebinding attacks have convinced me it's time for Home Network 3.0.

The plan is to have 4 zones, Internet, wired, wireless and device, each on each with its own interface on my firewall. I was originally gonna use VLANS on an old managed Cisco switch I have, but the damn thing draws 72 watts, it's notoriously difficult to get Cisco firmware updates for gray hardware such as this, and the firmware itself seems to expose a large attack surface. I'm going to make do with my existing dumb 32-port gigabit switch and a new 8-port switch.

The Internet zone will be a direct connection between the firewall and my ISPs premises hardware. The wireless zone will be a direct connection to the wifi access point. The wired network will be the 32-port switch, and the device network will be the 8-port switch. The access rules will be as follows:
  • There will be no inbound access allowed at all from the Internet.
  • The wired network will be allowed outbound access to the Internet and wifi network. It will only allow inbound access from the wifi network and only on selected ports.
  • The wireless network will be allowed outbound access to the Internet and to selected ports on the wired network. It will allow all inbound access from the wired network.
  • The device network will be allowed outbound access to the Internet. No inbound access at all will be allowed.

This means moving the DHCP server to the firewall. Not sure what I'm going to do about DNS yet.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5914

PostPosted: Sat Apr 27, 2019 4:12 pm    Post subject: Reply with quote

My router is a Gentoo server. I don't trust the plastic black box with a 2.6 kernel between it and the phone line to do a good job of anything, besides moving packets between two interfaces.
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 3189
Location: Illinois, USA

PostPosted: Sat Apr 27, 2019 5:01 pm    Post subject: Reply with quote

berferd wrote:
There will be no inbound access allowed at all from the Internet.

So how do you sync portage? Or access the forum? I think I am misunderstanding this statement. When I read the RFC (sometimei n the 1990's!) I understood it to say that your browser sends a request for header, the website sends a header back describing the file and it's size, then the browser sends a request for file, reassembling the chunks that come back which may be out of order. How can that work if you don't allow inbound traffic? If the answer is too long, could you please point me to a knowledge base somewhere?

EDIT: No I don't own a TARDIS. The date had an extra 9 in it.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Sat Apr 27, 2019 5:25 pm    Post subject: Reply with quote

I believe that the reference implementation of DHCP is for UNIX. So no real problems with that.

I have 2x raspberry pi's doing DNS and DHCP on Raspbian. Each pi is on an underutilized battery backup which contains only networking equipment.

One is a primary DNS for my local LAN, the other is backup. Both cache incoming requests.

The DHCP is set up as failover, one has the lower half of each subnet and the other has the upper half.

I used pi's because they're cheap, and I wanted something low powered and always on. I can duplicate the SD card and stick the duplicate into the other pi, change a few lines and it's ready to go. That said it would probably be easy enough to handle the same thing with a private git server and a couple branches, or an external config file.

I installed Gentoo on a pi once, but even with the minimal setup I had the pi spent literally all its time doing updates. It was a huge amount of tinkering with it too, so I gave that up.

I also have a homemade router which is way overkill. A Supermicro board with an Intel atom c2758 and 7x built-in Intel NICs. I'm currently reworking it so it's not a router at the moment.

It makes really good 'practical' sense to have the dhcp and dns on the router, but I sometimes wonder if it doesn't have security implications. I don't think that my first target once hacking into a remote network would be to change one of these things though.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4258
Location: Dallas area

PostPosted: Sat Apr 27, 2019 5:26 pm    Post subject: Reply with quote

Tony0945 wrote:
berferd wrote:
There will be no inbound access allowed at all from the Internet.

So how do you sync portage?


I think what he meant was no internet side originating access, in other words set up the firewall to allow conversations/connections started from the inside only.
_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 3189
Location: Illinois, USA

PostPosted: Sat Apr 27, 2019 5:37 pm    Post subject: Reply with quote

Anon-E-moose wrote:
I think what he meant was no internet side originating access, in other words set up the firewall to allow conversations/connections started from the inside only.

I figured it had to be something like that, but can't a reply be spoofed? Or does the router know what it sent and where? My lack of knowledge is deep.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4258
Location: Dallas area

PostPosted: Sat Apr 27, 2019 5:43 pm    Post subject: Reply with quote

Tony0945 wrote:
Anon-E-moose wrote:
I think what he meant was no internet side originating access, in other words set up the firewall to allow conversations/connections started from the inside only.

I figured it had to be something like that, but can't a reply be spoofed? Or does the router know what it sent and where? My lack of knowledge is deep.


Anything can be spoofed.
Having said that, most things that could be spoofed wouldn't be worth someone's time, or it would require the resources of something like the FBI/NSA/whatever.
So for common things, shutting normal ports to incoming traffic, running a proper iptables/nftables firewall, keeps you relatively safe.

ETA:
This part of the firewall, keeps out incoming traffic, except for inside started connections.
Code:
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# accept all on lo or local network
iptables -A INPUT -i eth0 -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -i eth0 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
berferd
Tux's lil' helper
Tux's lil' helper


Joined: 13 May 2004
Posts: 117

PostPosted: Sat Apr 27, 2019 6:07 pm    Post subject: Reply with quote

Tony0945 wrote:
I figured it had to be something like that, but can't a reply be spoofed? Or does the router know what it sent and where? My lack of knowledge is deep.


I'm not sure how you would do that. You'd have to trick a machine into starting a connection with a server on the outside, and then hijack that connection somehow.

Here's some background on how pf(4) handles spoofing and outgoing connections:

https://www.openbsd.org/faq/pf/filter.html#synproxy

https://www.openbsd.org/faq/pf/filter.html#state
Back to top
View user's profile Send private message
berferd
Tux's lil' helper
Tux's lil' helper


Joined: 13 May 2004
Posts: 117

PostPosted: Sat Apr 27, 2019 6:14 pm    Post subject: Reply with quote

The question I expected was "how do you ssh back to your home network?" I'm glad you asked that question.

I use autossh(1) on my firewall to maintain a connection from my firewall out to a virtual server I have on the Internet. I remote forward the ssh port on my Gentoo server to this virtual host over this connection. I can ssh back to my Gentoo server by first sshing to the virtual host and then ssh -p 1234 localhost. Yes, it's a horrific ssh-in-ssh hack, but I don't care what IP address my ISP gives me, and I'm fully in compliance with any policies prohibiting running servers on my home Internet connection.
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 3189
Location: Illinois, USA

PostPosted: Sat Apr 27, 2019 6:32 pm    Post subject: Reply with quote

berferd wrote:

https://www.openbsd.org/faq/pf/filter.html#synproxy

https://www.openbsd.org/faq/pf/filter.html#state

I understood about 30% of that. Thank you for the links. They give me a picture of how it works.
Back to top
View user's profile Send private message
berferd
Tux's lil' helper
Tux's lil' helper


Joined: 13 May 2004
Posts: 117

PostPosted: Sat Apr 27, 2019 6:53 pm    Post subject: Reply with quote

I recommend Stevens for learning network programming. The man had a gift for explaining complex things in a simple way.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4258
Location: Dallas area

PostPosted: Sat Apr 27, 2019 7:05 pm    Post subject: Reply with quote

berferd wrote:
I recommend Stevens for learning network programming. The man had a gift for explaining complex things in a simple way.


I have the 2nd edition, been on the bookshelf for a while. :lol: It sits beside Tannenbaum's Operating Systems and Holub's Compiler design in C.
_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 3189
Location: Illinois, USA

PostPosted: Sat Apr 27, 2019 7:44 pm    Post subject: Reply with quote

Third edition, both volumes on order. Thanks to both of you for the recommendation.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14163

PostPosted: Sat Apr 27, 2019 9:22 pm    Post subject: Reply with quote

Tony0945 wrote:
I figured it had to be something like that, but can't a reply be spoofed? Or does the router know what it sent and where? My lack of knowledge is deep.
Pure routers do not need to remember what they have sent where. Any responses can be routed based purely on the content of the response packet. Most home routers also do NAT, and doing NAT well requires tracking what has been sent, so that responses can be sent back to the host expecting them. When you send from your personal system, with your private range IP address, your NAT device rewrites the packet on the way out to have your ISP-assigned public IP address. If it did not, the response would never make it back to your ISP, and the connection would fail. However, once the response comes back, it will be passed by your ISP to the NAT device because that is the machine with the public IP. Your NAT device isn't running the browser/mail client/game that sent the packet, so it cannot directly handle the response. However, if it remembers which internal system sent the request packet, and can match this response to that request, it can rewrite the response packet to go to the internal system that sent the request. That system is running the browser/mail client/game, and can dispatch the packet to the originating program. A spoofed reply that does not match any recent requests will be sent to the DMZ, or dropped if there is no DMZ. A spoofed reply that makes it to your personal system is still likely to be dropped, unless it's a very convincing spoof that tricks the recipient into believing the spoofed message came from the peer you expected to send it.

There were some famous spoofs very early on, but modern TCP implementations are fairly cautious, so it is difficult to spoof if you cannot manipulate the legitimate traffic, and even harder if you cannot even see the legitimate traffic.
Back to top
View user's profile Send private message
tld
Veteran
Veteran


Joined: 09 Dec 2003
Posts: 1432

PostPosted: Sun Apr 28, 2019 2:37 pm    Post subject: Reply with quote

I voted yes here to using my routers DHCP, but having said that most machines on my network have static addresses. I'm using a Linksys WRT1900ACS running dd-wrt. While I've seen some (or at least one) here with with not-so-good opinions of dd-wrt, I've actually been very happy with it.

One example where I need DHCP are the HDHomeRun tuners I use for my MythTV system. They don't support static IPs, though I'm assigning them permanent IPs using static leases by MAC address.

Tom
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 3189
Location: Illinois, USA

PostPosted: Sun Apr 28, 2019 3:11 pm    Post subject: Reply with quote

tld wrote:
One example where I need DHCP are the HDHomeRun tuners I use for my MythTV system. They don't support static IPs, though I'm assigning them permanent IPs using static leases by MAC address.

That would be like the "Smart TV's" , Roku devices and Amazon Firesticks that I have. I like NeddySeagoon's idea of putting them on a separate address space then blocking that space from the computer address space.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Sun Apr 28, 2019 6:16 pm    Post subject: Reply with quote

Tony0945 wrote:
tld wrote:
One example where I need DHCP are the HDHomeRun tuners I use for my MythTV system. They don't support static IPs, though I'm assigning them permanent IPs using static leases by MAC address.

That would be like the "Smart TV's" , Roku devices and Amazon Firesticks that I have. I like NeddySeagoon's idea of putting them on a separate address space then blocking that space from the computer address space.


Keep in mind that for this to work, you need to have the "computer address space" on a separate physical network with a firewall in between. The simplest solution would be a Linux box with 3 NICs on it (or more) where 1 is the WAN, 2 is the trusted network (no wifi in my case) and 3 is the wifi router with all the random consumer devices on it. Net 3 only gets access to the Internet, nothing else.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum