Prevent DHCP server from offering IP addresses to certain clients
Hi all,
we are running a Mac OS X Server 10.5.5. Beside various other services, it acts as a DHCP server for our institute's clients (using the Apple's default DHCP daemon, "bootpd").
The DHCP serves one address pool and has also some static address mappings.
Now I need to configure the following:
Our VoIP telephones (Alcatel ipTouch) must not get an answer from our DHCP server when asking for an IP address. The reason behind this is that they should get their IP address from another DHCP server which is administrated by our university's telephone and network infrastructure working-group and not by us.
I've looked at the option "deny" which is documented in "man bootpd". In general it fuctions, but the problem is that I have to list the ethernet addresses of all of our VoIP telephones by hand. It would be much easier to have a kind of wildcard operator (which we could let match on the vendor part of the MAC address), but this doesn't seem to be available. Please correct me, if I am wrong!
My next try was to set up a firewall rule which simply drops the ethernet frames from the telephones arriving on our Mac OS X DHCP server. I can set up such rules using "ipfw" as it is documented in "man ipfw" and even wildcards (using a MAC address "subnet like" masking notation) are allowed. But my MAC address based firewalling rules are just ignored. At the end of "man ipfw" the sysctl variable "net.link.ether.ipfw" is introduced. The manpage says that this variable has to be set to "1" to let packets on layer 2 passed through the firewall. The problem is: I cannot set "net.link.ether.ipfw" to "1", it seems that this variable is avaiable on FreeBSD, but not on Mac OS X. I just don't want to believe it that it is possible that you cannot filter packets based on MAC addresses on Mac OS X.
So my question to you is: Do you have any idea how I could accomplish it so that machines with an specific vendor part in the MAC address are just ignored by our DHCP server without stating all of them manually?
The solutions (I should better say "work-arounds") I think about are:
- Setting up a list of the MAC addresses of the telephones by hand using the "deny" keyword in "/etc/bootpd.plist". This would be very suboptimal. I would really like to avoid the work (as it is not only a bit of "one-time work" for now, but also introduces a new work-flow, which means that it is necessary to do configuration work whenever a telephone is added or exchanged, for example).
- Disabling the "address pool" function of our existing DHCP and letting it only give out IP addresses to static mapped clients (of course, we wouldn't map our telephones there, but all of the computers which are possibly in use in our institute network). We could live with this. But the problem is: How can I accomplish this? Setting the keyword "allocate" to "false" (as given in "man bootpd") doesn't change anything. Even then, clients which aren't mapped statically will get an IP address. Having an empty IP address range doesn't seem to be possible, either. At least, the server manager doesn't allow me to store such a configuration.
- Disabling Apple's "bootpd" completely and compiling an ISC DHCPD on Mac OS X Server. I know well (from the administration of other Unix-like systems) that the ISC DHCPD is able to do these kind of filterings for parts of the MAC address (e.g. the vendor part) very easily. But I suppose that I have to do the whole Apple NetBoot configuration (we use Netboot to restore the clients in our student computer lab) also by hand. Just for the case: Has anyone experience setting up the ISC DHCPD on Mac OS? Is there any good documentation of the settings which have to be made there to enable NetBoot?
I would be very glad to get any help.
Thank you very much in advance!
Best regards,
Steffen
Message was edited by: Steffen M.
we are running a Mac OS X Server 10.5.5. Beside various other services, it acts as a DHCP server for our institute's clients (using the Apple's default DHCP daemon, "bootpd").
The DHCP serves one address pool and has also some static address mappings.
Now I need to configure the following:
Our VoIP telephones (Alcatel ipTouch) must not get an answer from our DHCP server when asking for an IP address. The reason behind this is that they should get their IP address from another DHCP server which is administrated by our university's telephone and network infrastructure working-group and not by us.
I've looked at the option "deny" which is documented in "man bootpd". In general it fuctions, but the problem is that I have to list the ethernet addresses of all of our VoIP telephones by hand. It would be much easier to have a kind of wildcard operator (which we could let match on the vendor part of the MAC address), but this doesn't seem to be available. Please correct me, if I am wrong!
My next try was to set up a firewall rule which simply drops the ethernet frames from the telephones arriving on our Mac OS X DHCP server. I can set up such rules using "ipfw" as it is documented in "man ipfw" and even wildcards (using a MAC address "subnet like" masking notation) are allowed. But my MAC address based firewalling rules are just ignored. At the end of "man ipfw" the sysctl variable "net.link.ether.ipfw" is introduced. The manpage says that this variable has to be set to "1" to let packets on layer 2 passed through the firewall. The problem is: I cannot set "net.link.ether.ipfw" to "1", it seems that this variable is avaiable on FreeBSD, but not on Mac OS X. I just don't want to believe it that it is possible that you cannot filter packets based on MAC addresses on Mac OS X.
So my question to you is: Do you have any idea how I could accomplish it so that machines with an specific vendor part in the MAC address are just ignored by our DHCP server without stating all of them manually?
The solutions (I should better say "work-arounds") I think about are:
- Setting up a list of the MAC addresses of the telephones by hand using the "deny" keyword in "/etc/bootpd.plist". This would be very suboptimal. I would really like to avoid the work (as it is not only a bit of "one-time work" for now, but also introduces a new work-flow, which means that it is necessary to do configuration work whenever a telephone is added or exchanged, for example).
- Disabling the "address pool" function of our existing DHCP and letting it only give out IP addresses to static mapped clients (of course, we wouldn't map our telephones there, but all of the computers which are possibly in use in our institute network). We could live with this. But the problem is: How can I accomplish this? Setting the keyword "allocate" to "false" (as given in "man bootpd") doesn't change anything. Even then, clients which aren't mapped statically will get an IP address. Having an empty IP address range doesn't seem to be possible, either. At least, the server manager doesn't allow me to store such a configuration.
- Disabling Apple's "bootpd" completely and compiling an ISC DHCPD on Mac OS X Server. I know well (from the administration of other Unix-like systems) that the ISC DHCPD is able to do these kind of filterings for parts of the MAC address (e.g. the vendor part) very easily. But I suppose that I have to do the whole Apple NetBoot configuration (we use Netboot to restore the clients in our student computer lab) also by hand. Just for the case: Has anyone experience setting up the ISC DHCPD on Mac OS? Is there any good documentation of the settings which have to be made there to enable NetBoot?
I would be very glad to get any help.
Thank you very much in advance!
Best regards,
Steffen
Message was edited by: Steffen M.
MacBook, Mac OS X (10.5.5), DHCP, BOOTPD, MAC address filtering using wildcards, Mac OS X Server Leopard 10.5.5
