Setting Static Adress at the Host

Greeting all,

I understand that I can set a static address via Network - DHCP and DNS Static Leases. However, I would prefer, if possible, to set them at the hosts and have the router accept them. I do not seem to be able to find any description how to do it.

Any help would be appreciated.

Kindest regards,

M

It completely depends on the host and its network software, I can think of about a half dozen ways on various Linux distros alone depending on what network manager package it's running.

Do yourself a favor and use the centralized static leases on your router.

1 Like

Hi efahl,

thank you for your reply.

Without doubting your knowledge, how is it possible that all my hosts, having static addresses set, running different OS and, consequently different network managers, are able to connect via a switch and my IPS Router?

My experiments are more-or-less for educational purposes.

Kindest regards,

M

1 Like

I will echo @efahl 's comments and say that it's usually not worth the trouble of setting static IP addresses on the hosts themselves. The use of DHCP reservations on the router will ensure that each device always gets the same address (i.e. effectively static), with the benefit of the host configuration being entirely automatic via DHCP.

But that said...

The router doesn't play any part in 'accepting' the addresses you set. If you set static addresses on each host:

  • you are responsible for keeping track of the addresses to ensure that every device has a unique address.
  • you also you need ensure that you do not use as static any address that is within the DHCP pool (you can change the pool or disable the DHCP server if you want)
  • you must set the correct subnet mask, router address, and dns in every host.
  • you must figure out how each host's network settings are configured

I've stressed the you part because a static address assigned manually on each host means that, by definition, it's not happening automatically and there are no checks to make sure you haven't messed anything up. Beyond that, if you change the subnet and/or want to reallocate the addresses, you have to go to each device and reconfigure it. This can be a bit of a hassle. Finally, keep in mind that not all devices have a mechanism to setup a static IP -- most 'big' OS's do (iOS/Android, Linux/Windows/Mac/Chrome OS), but many embedded devices do not -- they expect (and will only work with) DHCP.

When managed by a central DHCP server, everything will typically be on a single subnet with the correct information configured automatically at the host. If you do this manually instead, it becomes your responsibility to make sure the addresses and details are correct. But there's nothing for the switches (which operate at L2, MAC addresses and don't even know about IP addresses) or routers (which do work with IP addresses) to do that would be any different than if the addresses were assigned by a DHCP server (assuming you've properly configured your hosts; if you haven't, things may or may not work, depending on the errors you've made).

Maybe choose one or two devices and learn how to do it, and then call it a day. Just my 2-cents.

P.S. Aside from OpenWrt or very broad strokes concepts of the important network configuration concepts, the details about how to manually configure each device/OS with a static IP is out of scope for this forum. Google or the vendor support resources are perfect for that.

3 Likes

Hi psherman,

thank you for your reply.

I agree with both you and efahl, that centralized management is the correct way to do it, for the reasons that you had outlined, and this will be the ultimate solution.

I am just trying to understand the different options, for example the disabling the DHCP server for an interface.

The other reason why I am investigate it, is that I want to share a printer on a different sub-net, which I am allowed to access, but I have no control over, and the static address is set on the printer. Would it be possible to set a static lease on the OpenWRT router with the host-name, MAC address and the static address of the printer, or will it cause a problem?

Kindest regards,

M

Maybe it would make sense to describe -- or better yet, diagram -- this topology. Typically, you cannot connect to a device on a different subnet without routing. Simply reassigning your network address shouldn't magically make it work -- if it does, that means you've actually got multiple subnets moving on a single unmanaged switch topology which is usually bad news.

We need to know how these things are connected and related to be able to comment further on this.

1 Like

The router does not have to "accept" anything. Just configure the host with a static address, within the proper network segment, but outside the range used by the DHCP server.

And to take a small tangent from the problem at hand, don't neglect that DHCP doesn't just hand out some IP addresses. As @psherman alludes to above, it's the means by which a host derives almost all of the information it needs to operate as a network device. What's my gateway? Who provides DNS? Who provides time services? What's the local network suffix? (Those are just an obvious few from the host's end, the server also has its own list of questions for the host...)

If you have a minute, just glance over the almost-100 options in the list here and you'll get a feel for all the stuff that DHCP is managing: https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#Options

2 Likes

Greetings efahl, psherman, eduprez,

first thank you all for your replies, I sincerely appreciate your help.

Second, please note that this is my first foray into better organizing my network beyond simply connecting hosts into a switch, so my knowledge, including the correct terminology is limited. To wit, the use of the term "accept" that caused quite a stir. Now, In my understanding, routing is using layer 3, therefore, if the router itself does not assign the IP address(es), which is/are provided by the host(s), the router must "accept", or whatever the correct term is, the provided IP address, otherwise it could not route.

Apart from the semantic, attached please find the network layout as currently implemented (the right-hand side) or proposed to be implemented (the left hand side).

Regarding the right-hand side, the network is not under my control and it is configured so that all the hosts are configured with static IP addresses provided by the hosts.

Regarding the left-hand side, I have currently working on understanding the OpenWRT, I have its WAN port connected to the IPS router, receiving a public IP_02, therefore no double NAT, and serving - directly via one of the LAN port - a single host on an IP address on a sub-net different from the sub-net of the existing network, as not to further complicate the experiments by inserting the managed switch.

The host is currently a Windows 10 machine, but as I mentioned my other hosts are running different OSs. I did try, for experimental purposes only, to have the host provide the static IP address to the router. However, using an IP address outside of the range used by the DHCP server and regardless whether I did keep the DHCP server running or disabled it for the LAN interface, I could not have a web-browser to connect to the Internet, although the Window network adapter reported Internet connection.

I would like to resolve it, just for the sake of understanding, however, as noted, my main goal is to be able to connect the hosts (workstations) on one of the VLANs to the printer.

Any help in this manner would be greatly appreciated.

Kindest regards,

M

Based on your diagram, there's really no reason to be messing with host-based static IPs on the left side of the picture (i.e. the stuff you control).

I think that you could get the desired connection working by creating the new VLAN (if not already there) and creating a network interface for it. That interface would either be set to DHCP (if there is a DHCP server on the right side) or a static IP address in the 192.168.0.0/24 subnet (make sure you don't cause a conflict). Then, assign that network interface to a new firewall zone and enable masquerading on that new zone.

Now, your OpenWrt device should be able to reach the printer via it's static IP while they keep an address on an entirely different subnet.

1 Like

Hi psherman,

thank you for your reply. It is over my head, so please let me re-state.

First, there is no DHCP running at the right-hand side, all the host have set their own static addresses. What you are proposing is that the VLAN 02 is configured on the same sub-net as the sub-net of the right-hand side network (e.g., 192.168.0.X/24).

The perceived problem with the solution is that I do not necessarily trust some of the hosts, currently on the network, which is one of the reasons, I am trying to insulate my network. So I was hoping that I could route between different sub-nets and use the firewall for only one way requests (from the VLAN 02 to the 192.168.0.X/24 sub-net).

However, if this is not possible, I may have to acquire my own printer. :unamused: On the other hand, having it working would be an interesting exercise. :grin:

I am a little confused about the need for masquerading, I though that it was for NAT. Obviously, I need more networking study time.

Kindest regards,

M

No problem... set the input and forward firewall zone rules to reject. Allow only traffic flow to be initiated by your network, and not the other way around. Simple firewall setup (essentially mirroring that of the wan).

Yes, this is the idea.

it is. But unless you can set a static route in the main router for the right hand side to be able to send reply traffic appropriately, not using masquerading will cause the traffic to simply be dropped. By setting the masq option, the traffic will appear to come from the router itself via the address it holds on the new VLAN, rather than the address of the actual originating device.

1 Like

Hi psherman,

With a danger of abusing your patience, perhaps we are miscommunication, or I am not quite understanding.

In your post 9, your wrote:

which implies the same sub-net, i.e., 192.1168.0.x/24 on both the VLAN 02 and the right-hand side network. However your current post appears to assent to my suggestion of routing between different sub-nets, one on the VLAN, the other on the right-hand side network.

Kindest regards,

M

Let's say that the left hand side is using subnet 192.168.1.0/24. All of your hosts will be on that subnet via VLAN 1.

VLAN 2 (as you've drawn it) will be physically connected to the 192.168.0.0/24 subnet. Therefore, it must have an address on that network. So the router itself will have a network interface for VLAN 2 which will have an address such as 192.168.0.5.

The network interface will be associated with a new firewall zone. Let's call the zone vlan2zone. That zone will have the following properties:

  • Input: REJECT
  • Forward: REJECT
  • Output: ACCEPT
  • Masquerading enabled
  • Forwarding allowed from lan zone (i.e. VLAN 1) > vlan2zone (i.e. VLAN 2).
  • No forwarding defined (and thus not allowed) in the other direction.

That will make it secure for your devices and should allow your devices to reach the printer via its IP address.

1 Like

Hi psherman,

thank you, I have the (false) impression that I understand it. Again to re-state: the VLAN 2 will not have any of my hosts on it. The firewall setting is understood, I spent quite some hours to understand the zones/firewall, which was a new concept for me, coming form OpenBSD pf.

The only issue left is, your statement:

Do I connect the VLAN 2 port from the managed switch to the port of the network switch?

Kindest regards,

M

Vlan 2 will not have any of your hosts on it. It is purely a connection to the other network.

Physical connections depend on the physical topology.

1 Like

Hi psherman,

thank you for confirming the VLAN 02.

The physical topology is like drawn, All hosts on the right-hand side network are on a single switch, and all my hosts on the managed switch,

Kindest regards,

M

Ok... so you'd setup a trunk with VLAN 1 and VLAN 2 on the OpenWrt port that connects to the switch. Likewise, the switch must have that same configuration.

Then, create an access port for VLAN 2 (i.e. untagged, just that one VLAN) on a switch port and connect it to the right hand network.

1 Like

Hi psherman,

thank you very much for your patience walking me through the concept.

I am not saying that the implementation will be a walk through a rosy garden, but at the same time, I do no longer need to worry about both the implementation and whether the implementation is correct from the conceptual level.

Kindest regards,

M