Monday, December 01, 2008

Installing the Wyse 3: dhcp server and client

In a previous post I showed how to install a Domain Name Relay Daemon to serve as a caching DNS server. Since the firewall will get its address from the DHCP server from your ISP, there's one small configuration we still need to do.
In /etc/dhcp3/dhclient.conf we need to uncomment (or add, if its not there) the following line:

prepend domain-name-servers;

This will make sure the firewall itself will query the name server on the firewall to resolve host names on the local network and the Internet.
The firewall should also run a DHCP server for the internal network. The internal network addresses range from to So, first we need to install a DHCP server:

# apt-get install dhcp3-server

Next, use the following configuration for /etc/dhcp3/dhcpd.conf:

allow bootp;
ddns-update-style none;
subnet netmask {
default-lease-time 600;
max-lease-time 7200;
option subnet-mask;
option broadcast-address;
option domain-name-servers;
option domain-name "earth";
option routers;
group {
host internalhost {
hardware ethernet 11:11:11:11:11:11;
pool {

The above configuration will configure the DHCP server to serve addresses from to This will allow any PC to connect to the local network and get an address.
We also configured a host, called internalhost to receive a fixed address (, since we want to add this fixed address to our dnrd configuration as well.
The DHCP server will also propagate its own address to the clients as preferred name server.
The bootp flag is used to be able to net-boot some old UNIX machines I have (a Sun Ultra and an HP 712/60). For now, no boot images are configured or served, but this will change in the future.
In a next post, we will start configuring the firewall itself using a GUI called fwbuilder and iptables.


DrTronic said...

To make sure the DHCP server is only server for a specific interface:
vi /etc/default/dhcp3-server and set the INTERFACES-option to "eth0" or whatever dhcp-server-enabled-interfaced

kennywest said...

Thanks for the info. However, since the configuration has no subnet declaration for the ip address acquired from my ISP, the server will not listen on the outside interface anyway :)