How to make DHCP server for different subnets

Hello everyone!

I sincerely ask for help in setting up, because I do not have the necessary experience at the moment.

Task: it is necessary to replace the DHCP server in the network with an OpenWRT server, but leave the router the same.

Network topology:

There is a Sophos XG router, to which the Internet from the provider is connected on one side, and a local network on the other side. Several IP addresses with different subnets are registered on the local interface:
192.168.30.1/28 for local network equipment
192.168.31.1/29 for smart devices
192.168.32.1/24 for wifi
At the same time, a DHCP server is configured on Sophos, which distributes, with MAC binding, addresses for devices of the first and second networks, as well as a little of the third, but at the same time in the third network all other devices without MAC binding receive random addresses.

The local network is connected to the first router (xiaomi 3200), which is connected via mesh to two other routers (xiaomi ax5). There are both wifi and LAN devices behind the other routers.

I need to disable the DHCP server on Sophos and connect another router (Asus RT-N56U B1) with openwrt with two LAN interfaces to the first router (xiaomi 3200) (I suppose to give it a static address from the first network 192.168.30.2/28) and WAN (this is for further experiments and broadcasting traffic through this device).

Thus, I need to configure the LAN interface of Asus openwrt for distributing DHCP, as it was implemented on Sophos.

So far I do not understand whether it is necessary to make all the same networks on LAN as on Sophos, whether it is necessary to make its own DHCP for each network and everything else?

Please tell me the logic of implementing such a plan and possibly the configuration.

Model
ASUS RT-N56U B1
Platform ramips/mt7621
Version 23.05.4 (r24012-d8dd03c46f)

Тo briefly describe the task, I need the LAN interface on openvrt with the IP address 192.168.30.1/255.255.255.240, physically connected to the infrastructure, to distribute DHCP for three subnets 192.168.30.0/255.255.255.240, 192.168.31.0/255.255.255.248 and 192.168.32.0/255.255.255.0, while in the distributed addresses, DHCP clearly indicated the IP address of the router, DNS and subnet.
in addition to this, it is necessary to reserve some IPs for MAC for different subnets.

You probably want to configure the Asus not as a router, but merely as a switch / access point, and trunk all the networks from the Sophos.

  • Can the Sophos trunk several networks on the LAN interface?
  • What role will the Sophos and the Asus play? Why do you need them?

That's right. Asus in the DHCP server task will not be a router, but will be ONLY a DHCP server for several subnets that I need within this infrastructure.

Sophos can combine several subnets on the LAN interface, but you need to understand that there is the main LAN 30.1 and additional LANs 31.1 and 32.1 on this physical Sophos interface. They are combined by the router logic, not like in openwrt, but like in a router when configuring routes and a firewall. Without configuration, they do not see each other. This is the calculation that the network core (Sophos) handles traffic from several networks.

Sophos will play the same NGFW role. Asus (openWRT) will only be a DHCP server for the network. In the future, some traffic will be sent from LAn to WAN through Asus towards the Internet, but that's another story.

Sorry, but I cannot understand where you are or where you are trying to go...

Does this mean that these are tagged VLAN 30, 31, and 32 on the the interface?

Is there any reason you're not just using /24 networks for all of these? (it's just much easier)

Why do you want to do this? It is possible to run a DHCP server on a different device than your router, but if the sophos has a DHCP serer already available, why not use it?

It seems that your sophos has all the capbilities that you need -- routing for multiple subnets, VLANs, and DHCP servers... why do you want to complicate the topology?

Meanwhile, if you do setup an outboard DHCP server, make sure you provide DHCP option 3 (gateay) and DHCP option 6 (DNS) that points to your sophos.

1 Like

No, it is not. these are just additional addresses on the interface without VLAN. I don't know how to explain it from the point of view of sophos, but on linux it works simply (additional addresses are registered on the interface).

why use a 24 mask if there are 8-16 devices in the network? this is the basis of rationality)

DHCP on sopos works crookedly. I just want to implement DHCP specifically on openWRT.

DHCP option 3 (gateway) and DHCP option 6 (DNS), which point to your sophos - EVERYTHING IS CORRECT! The question and task is different, namely help with setting up openWRT.

everything is very simple). I ask for help in setting up a DHCP server for several subnets within one physical network. At the same time, the DHCP server is not a router, but is on the side. I gave the diagram as an example, to understand how it works now. I would not like to explain why I am not satisfied with the sofos DHCP, but I would like to set up openvrt)

Тo briefly describe the task, I need the LAN interface on openvrt with the IP address 192.168.30.1/255.255.255.240, physically connected to the infrastructure, to distribute DHCP for three subnets 192.168.30.0/255.255.255.240, 192.168.31.0/255.255.255.248 and 192.168.32.0/255.255.255.0, while in the distributed addresses, DHCP clearly indicated the IP address of the router, DNS and subnet.
in addition to this, it is necessary to reserve some IPs for MAC for different subnets.

How can the DHCP server decide which address should be issued to each client?

  1. Assuming you have a VLAN at Sophos for each subnet...
  2. Setup trunk link with all VLANs from Sophos to OpenWrt.
  3. Connect to lan1 port of OpenWrt.
  4. Edit br-lan device.
  5. Enable VLAN filtering.
  6. Add all VLAN IDs.
  7. Set your VLANs as Tagged on lan1.
  8. Add an interface for each VLAN.
    1. Set a static IP for each.
    2. Device: choose lan1.nn where nn is VLAN ID.
    3. Setup new firewall zone by clicking on custom.
    4. Enable DHCP server.
  9. Disable DHCP server on Sophos.

While it is possible to have multiple addresses on a given interface, this is not proper network design for most environments.

Can you explain why you're not using VLANs? What is the point of each of the subnets (both in terms of what the groupings of devices are per subnet as well as the allowances/restrictions of each subnet relative to the others or the internet)?

The /24 network just makes for a much simpler network design on a human level. It's not that it matters much technically, but there is actually no difference between a /28 and a /24 (or really any two subnet sizes) in terms of the resource allocations on the router for the subnet calculations. But when the number of hosts fits within a /24, it's quite nice to have the 4th octet purely referring to the host addresses, and the first 3 octets referring to the subnet. This reduces the human cognitive load to address each of the subnets. If you want to use smaller subnets, there's no technical difference as long as you have enough space for all your devices. But I always recommend /24's just for the simplicity.

What do you mean by "works crookedly"? I wonder if the problem is actually your network design (having multiple addresses on a single interface)?

Well, without VLANs, you can only serve DHCP to a single subnet. To do this, you would set the address and subnet appropriately on the OpenWrt lan to match the subnet that you wish to serve DHCP. You'll set the DHCP server start and limit values appropraitely for the size of the subnet you're serving and ensuring that both the OpenWrt router and any other static devices are outside the DHCP range. Finally, you'll set DHCP options 3 and 6 and you're done.

But... I think you have bigger issues -- I don't think the network topology you've setup on the Sophos is correct or appropriate.

2 Likes