Description

It is suggested to use ISC-DHCP-SERVER free solution as a DHCP server. If your LAN already uses a third-party DHCP server, you do not need to switch to the SoftWLC controller solution. Using a third-party DHCP server does not affect the operation of the controller.

The solution allows performing the following tasks in relation to Eltex.SoftWLC project:

Assigning primary (external) IP addresses to access points with option 43 (suboptions 11 and 12) that makes it possible to create GRE tunnels to ESR.
Assigning secondary (management, tunnel) IP addresses to access points with option 43 (suboptions 10 and 13) for AP management, detection and automatic initialization.
Assigning IP addresses to Wi-Fi users connecting to access points.
DHCP clients classification using option 82, option 60 and giAddrField.

Installation

It is better to install ISC-DHCP-SERVER after installing the SoftWLC software controller.

Packet installation

sudo -s
apt-get update
apt-get install isc-dhcp-server

Starting/stopping procedure

To stop the service, the following command is used:

service isc-dhcp-server stop

To start the service after stopping:

service isc-dhcp-server start

To check the service status, use the command:

service isc-dhcp-server status

This will be followed by a message:

* isc-dhcp-server is running

if the service is running, or by

* isc-dhcp-server is not running

if it is not.

Logging

By default, the service logs are recorded to the file

/var/log/syslog

To make the analysis more convenient, it is recommended to configure log redirection to the /var/log/dhcpd.log file.

DHCP server configuration

The solutions provided are relevant to typical network organization schemes, but they may differ from the configuration required for your network!

Minimum DHCP server configuration

For small networks, where all APs are connected by L2 scheme, for DHCP server configuration, it will be enough to specify the following:

Subnet, mask and gateway for AP management addreses
Subnet, mask and gateway for addresses of clients connecting to APs

The AP and client subnets are separated for security reasons, so that malefactors could not infiltrate the AP management network by connecting to one of the SSIDs.

Optional — EMS server address.

These parameters will always be used when configuring it.

Example of a minimum DHCP server configuration

Consider the example of real addressing:

Address or subnet	Designation
100.111.70.0/24	AP management subnet
100.111.70.1	Default AP gateway
100.123.0.54	AP management server address (EMS address)
100.111.71.0/24	Subnet for client devices
100.111.71.1	Default gateway for client devices
172.16.0.1, 8.8.8.8	Adresses of DNS servers

The DHCP server itself must have routes to all these subnets, otherwise devices will not receive responses from it.

DHCP configuration file is in /etc/dhcp/

nano /etc/dhcp/dhcpd.conf

All parameter strings in the dhcp configuration file end with a semicolon (;). Some parameters may have multiple values, such as domain-name-servers which has two IP addresses separated by a comma. Lines starting with '#' are comments and are not processed by the dhcp server.

log-facility local7; 
default-lease-time 3600; 
max-lease-time 3610; 

# List of Eltex devices
class "ELTEX-DEVICES" {
 match if (
  (substring (option vendor-class-identifier, 0, 14)="ELTEX_WEP-12AC") or
  (substring (option vendor-class-identifier, 0, 14)="ELTEX_WOP-12AC") or
  (substring (option vendor-class-identifier, 0, 14)="ELTX_WEP-12AC") or
  (substring (option vendor-class-identifier, 0, 14)="ELTX_WOP-12AC") or
  (substring (option vendor-class-identifier, 0, 13)="ELTEX_WEP-2AC") or
  (substring (option vendor-class-identifier, 0, 19)="ELTEX_WEP-2AC-SMART") or
  (substring (option vendor-class-identifier, 0, 13)="ELTEX_WOP-2AC") or
  (substring (option vendor-class-identifier, 0, 12)="ELTEX_WEP-1L") or
  (substring (option vendor-class-identifier, 0, 12)="ELTEX_WEP-2L") or
  (substring (option vendor-class-identifier, 0, 12)="ELTEX_WOP-2L") or
  (substring (option vendor-class-identifier, 0, 6)="ESR-10") or
  (substring (option vendor-class-identifier, 0, 6)="ESR-20")
 );
}

# Subnet of AP management adresses
subnet 100.111.70.0 netmask 255.255.255.0 { 
 pool {
  option routers 100.111.70.1;
  range 100.111.70.4 100.111.70.254;
# suboption 10 of option 43 transmits AP address of EMS server (in this case — 100.123.0.54)
  option vendor-encapsulated-options 0A:0C:31:30:30:2e:31:32:33:2e:30:2e:35:34;
  allow members of "ELTEX-DEVICES";
  option domain-name-servers 172.16.0.1, 8.8.8.8;
 }
}

# Declare a subnet for client addresses
subnet 100.111.71.0 netmask 255.255.255.0 {
 pool {
  option routers 100.111.71.1;
  range 100.111.71.4 100.111.71.254;
  option domain-name-servers 172.16.0.1, 8.8.8.8;
 }
}

Some general DHCP server settings:

log-facility local7 — Recording logs to a file

default-lease-time — The time interval in seconds for which the address is allocated to the client. The parameter is assigned globally, i.e. applies to APs and clients.

max-lease-time — Maximum time interval, in seconds, for which the address is allocated to the client.

subnet — The parameter declares the subnet (in our case — 100.111.71.0 with a mask of 255.255.255.0).

option routers — Specifies the IP address of your gateway or network access point (100.111.71.1).

range — The range of issued addresses (100.111.71.4 to 100.111.71.254).

option vendor-encapsulated-options — option 43 suboption 10, used to transmit the AP address of the controller.

domain-name-servers — Adresses of DNS servers (172.16.0.1, 8.8.8.8).

allow members of "ELTEX-DEVICES" — class match operator. The devices which vendor type name matches the globally declared class (class "ELTEX-DEVICES", ELTEX_WEP-12AC, ELTEX_WEP-2AC, ELTEX_WEP-2L, etc.) will be written to the pool.

The configuration file /etc/default/isc-dhcp-server records the interface from which the DHCP server should accept DHCP requests. If none of the interfaces are specified, the server will respond to all requests, regardless of which interface it comes from.

To determine the name of a network interface, you can enter the following command:

 ifconfig

The file contains the basic settings, in particular the list of network interfaces used:

 INTERFACES="eth1.101 eth1.102"

This completes the minimum configuration. Restart the service to apply the settings

service isc-dhcp-server restart

Advanced DHCP server configuration

Network Interfaces

DHCP server should have interfaces in three subnets:

inner operator subnet — a subnet used for connection to operator's internal network. Administrators and operators connect to GUI EMS, and communication with SMS gateway and operator's services via NorthboundInterface is provided within the network. This subnet has a virtual interface (keepalived is used);
outer operator subnet — a subnet used for connection to access points and other network devices. It has strict security policies. This subnet has a virtual interface (keepalived is used);
outer subnet for receiving DHCP requests from Relay agents on operator's end equipment.

auto eth1.102 # Interface in outer operator's exchange network
iface eth1.102 inet static
address 192.168.114.8
netmask 255.255.255.192
network 192.168.114.0
vlan_raw_device eth1 
auto eth1.100 # Interface in inner operator network
iface eth1.100 inet static
address 172.17.209.9
netmask 255.255.255.192
network 172.17.209.0
vlan_raw_device eth1 
auto eth1.101 # Interface for assigning IP addresses to access points
iface eth1.101 inet static
address 10.203.5.7
netmask 255.255.255.192
network 10.203.5.0
vlan_raw_device eth1

Routing

DHCP server should have access to the following subnets:

10.203.32.0 — for assigning primary IP addresses to access points;

192.168.200.0 — for assigning management IP addresses to access points;

100.65.64.0 — for assigning IP addresses to client devices.

Example of route configuration in /etc/network/interfaces file.

up ip route add 100.65.64.0/22 via 192.168.114.10
up ip route add 192.168.200.0/22 via 192.168.114.10
up ip route add 10.203.32.0/19 via 10.203.5.1

ISC-DHCP-SERVER configuration

/etc/default/isc-dhcp-server

The file contains basic settings, in particular the list of network interfaces used:

INTERFACES="eth1.101 eth1.102"

/etc/dhcp/dhcpd.conf

DHCP server's address pool configuration.

Configuration example

default-lease-time 60;
max-lease-time 120;
log-facility local7;
class "ELTEX-DEVICES" {
    match if (
        (substring (option vendor-class-identifier, 0, 14) = "ELTEX_WEP-12AC") or
        (substring (option vendor-class-identifier, 0, 14) = "ELTEX_WOP-12AC") or
        (substring (option vendor-class-identifier, 0, 14) = "ELTX_WEP-12AC") or
        (substring (option vendor-class-identifier, 0, 14) = "ELTX_WOP-12AC")
    );
}
subnet 192.168.114.64 netmask 255.255.255.192 {}
subnet 10.203.5.64 netmask 255.255.255.192 {}
#first IP subnet for assigning primary addresses to access points
subnet 10.203.32.0 netmask 255.255.254.0 {
    pool {
        option routers 10.203.32.2;
        range 10.203.32.130 10.203.32.230;
        failover peer "dhcp-failover";
        option vendor-encapsulated-options 0B:0c:31:30:2E:32:30:33:2E:35:2E:31:31:32:0C:0C:31:30:2E:32:30:33:2E:35:2E:31:31:33;
        allow members of "ELTEX-DEVICES";
    }
}
#managed IP-subnet for assigning secondary addresses to access points
subnet 200.65.64.0 netmask 255.255.240.0 {
    pool {
        option routers 200.65.64.5;
        range 200.65.64.200 200.65.64.250;
        failover peer "dhcp-failover";
        option domain-name-servers 172.16.0.1, 8.8.8.8;
    }
}

Configuring access points' static addresses

If predetermined IP addresses of access points (secondary addresses) should be used in management network, a list of static hosts can be configured. Take the following steps in order to avoid /etc/dhcp/dhcpd.conf overload:

1. Create a file that includes the list and may be located in any directory, for example /var/lib/dhcp/touch /var/lib/dhcp/hosts.

2. Add entries to the file.

Entry format

host wep_01 { hardware ethernet a8:f9:4b:b0:00:00; fixed-address 192.168.1.1; }

where

host wep_01 — hostname;

hardware ethernet a8:f9:4b:b0:00:01 — MAC address of a device. Note that in order to get a secondary address, an access point uses MAC one greater than the MAC used for primary address getting;

fixed-address 192.168.200.133 — IP address of a device.

3. Add the following line to AP address pool:

include "/var/lib/dhcp/hosts";

4. For DHCP server to be able to read the file, set the owner using the command:

chown dhcpd:dhcpd /var/lib/dhcp/static/hosts

5. Allow reading the file in AppArmor by adding the following line to /etc/apparmor.d/usr.sbin.dhcpd file (the line should end with a comma):

/var/lib/dhcp/hosts r,

6. Restart services

service apparmor restart
service isc-dhcp-server restart

Pool configuration example:

subnet 192.168.200.0 netmask 255.255.252.0 {
    pool {
        option routers 192.168.200.5;
        range 192.168.200.120 192.168.200.164;
        option vendor-encapsulated-options A:F:31:39:32:2E:31:36:38:2E:31:31:34:2E:31:30:34;
        include "/var/lib/dhcp/hosts";
    }
}

The lists should be created on both servers and kept updated. Restart servers after changing the lists' contents.

Using option 82

If option 82 is required, new classes should be created as follows:

class "NEW_class" {
match if (
    (option agent.circuit-id = "E320-1-210:GigabitEthernet 1/0/2.25030007:2503-7")
    and
        (
            (substring (option vendor-class-identifier, 0, 14) = "ELTEX_WEP-12AC") or
            (substring (option vendor-class-identifier, 0, 14) = "ELTEX_WOP-12AC") or
            (substring (option vendor-class-identifier, 0, 14) = "ELTX_WEP-12AC") or
            (substring (option vendor-class-identifier, 0, 14) = "ELTX_WOP-12AC")
        )
    );
}

The created class should be defined in a pool, for example:

subnet 192.168.200.0 netmask 255.255.252.0 {
    pool {
        option routers 192.168.200.5;
        range 192.168.200.120 192.168.200.164;
        option vendor-encapsulated-options A:F:31:39:32:2E:31:36:38:2E:31:31:34:2E:31:30:34;
        allow members of "NEW_class";
    }
}

After that, addresses from the pool will be assigned only to devices of this class.

Option 43 usage

The option is used to transfer vendor-specific data to DHCP clients.

The following suboptions are used in SoftWLC:

Suboption	Description
10	EMS server address
11	the address for management tunnel creation
12	the address for data tunnel creation
13	the option for identifying carrier network area to which the access point belongs

According to RFC2132, the format is as follows:

   When encapsulated vendor-specific extensions are used, the
   information bytes 1-n have the following format:
 
    Code   Len   Data item        Code   Len   Data item       Code
   +-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+
   |  T1 |  n  |  d1 |  d2 | ... |  T2 |  n  |  D1 |  D2 | ... | ... |
   +-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+

The option is transmitted in hexadecimal format. All data should be converted from ASCII to HEX.

All the values are separated by a colon ':', and the line ends with a semicolon ';'.

Option examples:

In the primary address pool, option 43 (suboptions 11 and 12) is specified as follows:

option vendor-encapsulated-options 0B:0B:31:30:2E:32:30:33:2E:35:2E:31:30:0C:0B:31:30:2E:32:30:33:2E:35:2E:31:31;

Decoding:

suboption 11, 11 symbols long, contains the address 10.203.5.10;

suboption 12, 11 symbols long, contains the address 10.203.5.11;

In the secondary address pool, option 43 (suboption 10) is specified as follows:

option vendor-encapsulated-options 0A:0D:31:39:32:2E:31:36:38:2E:31:31:34:2E:34;

Decoding:
suboption 10, 13 symbols long, contains the address 192.168.114.4;

Suboption 13 is specified as follows:

option vendor-encapsulated-options 0D:0A:65:6c:74:65:78:2e:72:6f:6f:74;

Decoding:
suboption 13, 10 symbols long, contains the domain: eltex.root

If several suboptions should be transferred in a pool, they should be written in the same line. E.g. for suboptions 10 and 13, it will look like this:

option vendor-encapsulated-options 0A:0D:31:39:32:2E:31:36:38:2E:31:31:34:2E:34:0D:0A:65:6c:74:65:78:2e:72:6f:6f:74;

Checking dhcpd configuration file

To check a configuration file for syntax errors without restarting DHCP server and applying a configuration, use dhcpd utility.

To run a check, launch dhcpd utility with -t modifier. If the configuration file is not located in the default directory, add -cf keys

dhcpd -t -cf /path/to/dhcpd.conf

example:

root@vagrant-ubuntu-trusty-64-test1111:~# dhcpd -t -cf /etc/dhcp/dhcpd_test.conf 
Internet Systems Consortium DHCP Server 4.2.4
Copyright 2004-2012 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
/etc/dhcp/dhcpd_test.conf line 97: semicolon expected.
        range 
         ^
/etc/dhcp/dhcpd_test.conf line 105: Pool declaration with no address range.
          }
           ^
Pool declarations must always contain at least
one range statement.
Configuration file errors encountered -- exiting

Logging to a separate file configuration

To make the analysis more convenient, configure the logging to a separate file.

Edit the file:

/etc/rsyslog.d/50-default.conf

Add the following in the beginning of the file:

if $programname == 'dhcpd' then /var/log/dhcpd.log
& stop

Restart rsyslog:

systemctl restart rsyslog

Next you need to configure the dhcpd.log file rotation.

Edit the file:

/etc/logrotate.d/rsyslog

Add the following in the end of the file:

/var/log/dhcpd.log
{
        rotate 4
        maxsize 50M
        daily
        missingok
        notifempty
        delaycompress
        compress
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
        endscript
}

Configuring DHCP-failover

Add a definition to /etc/dhcp/dhcpd.conf configuration file

On the first server:

failover peer "dhcp-failover" {
    primary;
    address 192.168.114.8;
    port 647;
    peer address 192.168.114.9;
    peer port 647;
    max-response-delay 30;
    max-unacked-updates 10;
    load balance max seconds 3;
    auto-partner-down 180;
    mclt 1800;
    split 128;
}

On the second server:

failover peer "dhcp-failover" {
    secondary;
    address 192.168.114.9;
    port 647;
    peer address 192.168.114.8;
    peer port 647;
    max-response-delay 30;
    max-unacked-updates 10;
    load balance max seconds 3;
    auto-partner-down 60;
}

Add the following line to reserved pools (192.168.200.0 subnet)

failover peer "dhcp-failover";

Server time synchronization is essential for DHCP-failover operation. If desynchronization occurs, failures are possible.

OMAPI configuration

To configure monitoring and DHCP servers' status check, generate a key and specify it in DHCP server configuration file. At first, generate keys by adding -K modifier and by specifying destination directory

root@vagrant-ubuntu-trusty-64-test1111:~# dnssec-keygen -K /etc/dhcp/ -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST omapi_key
Komapi_key.+157+35749

Display the key

root@vagrant-ubuntu-trusty-64-test1111:~# cat /etc/dhcp/Komapi_key.+157+35749.key | awk '{print $7 $8}'
kvxcUNEtu0137tWK/uEKU/MSQxinN0lTifbLwaQd0SvvhtW+PpvlHqSbHJnNLIfo7KSA7KFWtjoEUqIIJXgxmg==

Specify the obtained key, encryption algorithm, gateway and omapi_key name in DHCP server configuration file

key omapi_key {
        algorithm HMAC-MD5;
        secret "kvxcUNEtu0137tWK/uEKU/MSQxinN0lTifbLwaQd0SvvhtW+PpvlHqSbHJnNLIfo7KSA7KFWtjoEUqIIJXgxmg==";
              };

omapi-port 7911;
omapi-key omapi_key;

Restart isc-dhcp-server

service isc-dhcp-server  restart

The only thing left to do is to specify EMS OMAPI key name, OMAPI key and Failover peer name in access settings

Eltex Documentation EN > DHCP server > Selection_087.png