起因
昨天在DHCP上配置为我的 L2TP 客户端自动分配静态路由的设定后,今天就发现了一个问题,客户端在第一次从dhcp获取地址时,只能分配到IP和掩码配置,无法获得静态路由;必须要等到第二次 renew 地址配置时,才能正常获取到静态路由配置;
这体验太不好了, 每次客户端连接上都不能马上访问到我 home-lab 中的其他网段,必须要等5分钟以上,获取到我设定的 static-route 后才能访问;查看dhcp.log发现与该客户端和网段相关的信息如下:
Jan 27 13:00:36 ss-socks dhcpd: DHCPDISCOVER from ca:f1:36:6c:a6:09 via tap_vpn0
Jan 27 13:00:37 ss-socks dhcpd: DHCPOFFER on 10.0.0.7 to ca:f1:36:6c:a6:09 (MacBP) via tap_vpn0
Jan 27 13:00:37 ss-socks dhcpd: DHCPREQUEST for 10.0.0.7 (10.0.0.1) from ca:f1:36:6c:a6:09 (MacBP) via tap_vpn0
Jan 27 13:00:37 ss-socks dhcpd: DHCPACK on 10.0.0.7 to ca:f1:36:6c:a6:09 (MacBP) via tap_vpn0
Jan 27 13:00:37 ss-socks dhcpd: DHCPINFORM from 10.0.0.7 via tap_vpn0: not authoritative for subnet 10.0.0.0
Jan 27 13:00:37 ss-socks dhcpd: If this DHCP server is authoritative for that subnet,
Jan 27 13:00:37 ss-socks dhcpd: please write an `authoritative;' directive either in the
Jan 27 13:00:37 ss-socks dhcpd: subnet declaration or in some scope that encloses the
Jan 27 13:00:37 ss-socks dhcpd: subnet declaration - for example, write it at the top
Jan 27 13:00:37 ss-socks dhcpd: of the dhcpd.conf file.
Jan 27 13:00:40 ss-socks dhcpd: DHCPINFORM from 10.0.0.7 via tap_vpn0: not authoritative for subnet 10.0.0.0
Jan 27 13:00:43 ss-socks dhcpd: DHCPINFORM from 10.0.0.7 via tap_vpn0: not authoritative for subnet 10.0.0.0
Jan 27 13:00:46 ss-socks dhcpd: DHCPINFORM from 10.0.0.7 via tap_vpn0: not authoritative for subnet 10.0.0.0
Jan 27 13:00:49 ss-socks dhcpd: DHCPINFORM from 10.0.0.7 via tap_vpn0: not authoritative for subnet 10.0.0.0
分析
重点提示:DHCPINFORM from 10.0.0.7 via tap_vpn0: not authoritative for subnet 10.0.0.0
看起来像是在提示对 10.0.0.0/24 这个子网段没有权威管理性?根据log中的提示,是要在 dhcpd.conf 要添加一个设定;
当然还是要弄清楚具体原因的目的,谷歌了一下这个提示信息;
因为10.0.0.0/24这个网段我是专门规划给L2TP客户端使用的,只需要访问我 Home Lab 中特定的几个网段,并不希望客户端在连接上L2TP后默认将所有的流量都经过L2TP网络传输,所以在 dhcpd.conf 中我并没有给这个 subnet 定义 option routers 参数,也就是这个子网的 DHCP 是不分配默认路由网关的;
# VPN Client network for Tap
subnet 10.0.0.0 netmask 255.255.255.0 {
range dynamic-bootp 10.0.0.2 10.0.0.20;
option broadcast-address 10.0.0.255;
#option routers 10.0.0.1; //禁用了默认路由,不分配默认网关
option ms-classless-static-routes 24,192,168,10,10,0,0,1,24,192,168,2,10,0,0,1,24,192,168,100,10,0,0,1,24,172,16,10,10,0,0,1,24,10,0,0,10,0,0,1;
option rfc3442-classless-static-routes 24,192,168,10,10,0,0,1,24,192,168,2,10,0,0,1,24,192,168,100,10,0,0,1,24,172,16,10,10,0,0,1,24,10,0,0,10,0,0,1;
}
ISC DHCPD 应该是看到配置文件中,该 subnet 没有定义默认的路由网关,所以才认为自己可能并具有这个网段的权威管理性,所以才会在 dhcp.log 中记录这个异常信息;
解决
当然解决方法已经在通过在 log 中出现的那一段话,明确地提示了,简单翻译过来的意思如下:
如果此DHCP服务器对该子网具有权威性,请写一个“authoritative;”指令;要么在子网声明的范围内包含;或者将其写在 dhcpd.conf 文件顶部。
当然我不想影响该 dhcp 上其他的 subnet 的配置,所以我将其添加在了 10.0.0.1 这个 subnet 范围内,如下:
# VPN Client network for Tap
subnet 10.0.0.0 netmask 255.255.255.0 {
range dynamic-bootp 10.0.0.2 10.0.0.20;
option broadcast-address 10.0.0.255;
#option routers 10.0.0.1; //禁用了默认路由,不分配默认网关
option ms-classless-static-routes 24,192,168,10,10,0,0,1,24,192,168,2,10,0,0,1,24,192,168,100,10,0,0,1,24,172,16,10,10,0,0,1,24,10,0,0,10,0,0,1;
option rfc3442-classless-static-routes 24,192,168,10,10,0,0,1,24,192,168,2,10,0,0,1,24,192,168,100,10,0,0,1,24,172,16,10,10,0,0,1,24,10,0,0,10,0,0,1;
authoritative; #申明权威子网
}
重启 dhcpd 服务后,客户端再次连接获取IP,已经可以第一次就获取到正确的静态路由配置了,并且log 中也没再出现 not authoritative for subnet 的提示了;
