DHCP Relay
- Thread starter Soogs
- Start date
Soldato
- Joined
- 24 Sep 2015
- Posts
- 4,031
DHCP by itself is a protocol that won't leave the local network. When a device does a DHCP discover it sends out a message to any host that's listening and says "Hey, I need an IP address please!". If there's a DHCP server there it'll reply and say "I've got an IP address you can have, it's x.x.x.x. Would you like it?" That's known as a DHCP offer. Next the client will send back a DHCP request message which says "Yes please, I would like that IP address!". After that the DHCP server will actually set aside that IP address for the client and pass the client all of the information it needs - subnet mask, gateway and so on. That's known as a DHCP ack.
Let's say you have 2 networks that connect together at a single router. Network 1 is 192.168.10.0/24 adn network 2 is 192.168.20.0/24. DHCP for network 1 is served by 192.168.10.1. Network 2 doesn't have a DHCP server so you decide to use the DHCP server in network 2. You need to configre a DHCP scope on 192.168.10.1 but even once you've done that none of the clients on network 2 will be getting an IP address as the DHCP requests won't leave the broadcast domain for network 2. If you then configure the router (or A. N Other device) to be a DHCP relay server then that device will itself listen for DHCP discover messages and will then relay them on to the DHCP server in network 1. The device will act as a go between between the DHCP server and the client in network 2 that's asking for an IP address.
When the process is complete if you check 'ifconfig /all' or similar on the client in network 2 it will list 192.168.10.1 as it's DHCP server rather than the device that's acting as a DHCP relay server.
There's reasons for and against using DHCP relay. In a previous life I used to run central DHCP for the European offices. The benefit was that when we made changes there was only 1 server to change. The big drawback is that a lack of connectivity anywhere in the chain could cause DHCP to be unavailable. Hardware failures can knacker you too, but with H/A and split scopes you can mitigate that to some extent. These days I wouldn't bother with it and just run local DHCP.
So that's a long winded way of saying no, it won't hep you access the router in that setup. If you explain a bit more about it (and maybe include a quick physical layout and IP addressing) we may be able to work something out for you.
Let's say you have 2 networks that connect together at a single router. Network 1 is 192.168.10.0/24 adn network 2 is 192.168.20.0/24. DHCP for network 1 is served by 192.168.10.1. Network 2 doesn't have a DHCP server so you decide to use the DHCP server in network 2. You need to configre a DHCP scope on 192.168.10.1 but even once you've done that none of the clients on network 2 will be getting an IP address as the DHCP requests won't leave the broadcast domain for network 2. If you then configure the router (or A. N Other device) to be a DHCP relay server then that device will itself listen for DHCP discover messages and will then relay them on to the DHCP server in network 1. The device will act as a go between between the DHCP server and the client in network 2 that's asking for an IP address.
When the process is complete if you check 'ifconfig /all' or similar on the client in network 2 it will list 192.168.10.1 as it's DHCP server rather than the device that's acting as a DHCP relay server.
There's reasons for and against using DHCP relay. In a previous life I used to run central DHCP for the European offices. The benefit was that when we made changes there was only 1 server to change. The big drawback is that a lack of connectivity anywhere in the chain could cause DHCP to be unavailable. Hardware failures can knacker you too, but with H/A and split scopes you can mitigate that to some extent. These days I wouldn't bother with it and just run local DHCP.
So that's a long winded way of saying no, it won't hep you access the router in that setup. If you explain a bit more about it (and maybe include a quick physical layout and IP addressing) we may be able to work something out for you.
Thank you for the explanation. it made a lot more sense than some of the videos I've watched about it.
diagram as requested.
edge router 192.168.1.1
vpn router 192.168.4.1
dlink router 192.168.1.50
its the VPN router I want to reach from the main router/ap
it's not the end of the world if I cant as I can always connect to the VPN wirelessly and access the cp that way.
diagram as requested.
edge router 192.168.1.1
vpn router 192.168.4.1
dlink router 192.168.1.50
its the VPN router I want to reach from the main router/ap
it's not the end of the world if I cant as I can always connect to the VPN wirelessly and access the cp that way.
Soldato
- Joined
- 24 Sep 2015
- Posts
- 4,031
There's a couple of ways it might work.
- Setup port forwarding on the D-Link router. Assuming the VPN router has the management interface on port 80 then setup a port forward that forwards port 80 traffic to 192.168.4.1. As you'll be connecting to the VPN router through the D-Link router you'd need to reach the VPN router via http://192.168.1.50 rather than the physical IP address of the VPN router. If port 80 (or whatever the port is you need) is un use by the D-Link router then use PAT - Port Address Forwarding. Set the D-Link to forward traffic it receives on port 81 to port 80 on the VPN router. You'd then access the VPN router using http://192.168.1.50:81.
- Create a new 192.168.4.0/24 VLAN on the ER-X but be careful not to give the ER-X 192.168.4.1 as it's IP address in that VLAN. Then connect a cable from a port on the ER-X that's untagged in that VLAN to the LAN side of the VPN router. You should then be able to reach the VPN router on 192.168.4.1.
- Setup port forwarding on the D-Link router. Assuming the VPN router has the management interface on port 80 then setup a port forward that forwards port 80 traffic to 192.168.4.1. As you'll be connecting to the VPN router through the D-Link router you'd need to reach the VPN router via http://192.168.1.50 rather than the physical IP address of the VPN router. If port 80 (or whatever the port is you need) is un use by the D-Link router then use PAT - Port Address Forwarding. Set the D-Link to forward traffic it receives on port 81 to port 80 on the VPN router. You'd then access the VPN router using http://192.168.1.50:81.
- Create a new 192.168.4.0/24 VLAN on the ER-X but be careful not to give the ER-X 192.168.4.1 as it's IP address in that VLAN. Then connect a cable from a port on the ER-X that's untagged in that VLAN to the LAN side of the VPN router. You should then be able to reach the VPN router on 192.168.4.1.
Soldato
- Joined
- 24 Sep 2015
- Posts
- 4,031
Management access to WAN interfaces is generally disabled by default but it might be possible to enable it. I've no experience of your specific device so can't say either way. It's a good point, the port forwarding method I mentioned would only work if you could access the management interface from the WAN side.
You refer to it as an AP, but surely it's a router and AP combined?
You refer to it as an AP, but surely it's a router and AP combined?
It is a router yes. I call it an AP as DHCP is off as well as the firewall etc
I think I can live with the current conditions. will tinker with the port forwarding and VLAN stuff later after work
thanks for all your help
I think I can live with the current conditions. will tinker with the port forwarding and VLAN stuff later after work
thanks for all your help