A client seeking DHCP information broadcasts a request across the local network asking for someone—anyone—to give it a network configuration. If your DHCP server is on that Ethernet segment, it answers directly. If it’s on another network segment, the router for that network segment can forward the DHCP request to your server, which will then offer a configuration to the client, maintaining a list of which clients have been assigned which unique configuration values (such as IP addresses). A configuration issued to a client is called a lease. Like all leases, DHCP leases expire and must be renewed in order to be valid.

Clients can request certain DHCP features to support their operations. For example, Microsoft clients request the IP addresses of the network Windows Internet Name Service (WINS) servers, Voice over IP (VoIP) desktop phones request their configuration file, and diskless systems (discussed in Chapter 23) ask where to find their kernel and userland. The DHCP server can offer this information, or not.

The DHCP server uniquely identifies each client by the MAC address of the network card it uses to connect to the network. To find out what information a client received from the DHCP server, get the client’s MAC address and search for it in the /var/db/dhcpd.lease file.

Configure dhcpd in /etc/dhcpd.conf. The default dhcpd.conf file includes a sample configuration suitable for a small office environment, as well as a diskless client sample configuration.

I’m going to assume that you’re running a single DHCP server on your network, and that this server is authoritative for DHCP services. (OpenBSD’s DHCP server also supports clustering for fault tolerance.)

Before configuring dhcpd to configure clients dynamically, you’ll need a few facts about your network:

Once you have this information, you can assemble a brief dhcpd.conf. Here’s an example:

1 option domain-name "blackhelicopters.org";
2 option domain-name-servers 192.0.2.5 192.0.2.10;
3 subnet 198.51.100.0 netmask 255.255.255.0 {
4     option routers 198.51.100.1;
5     range 198.51.100.51 198.51.100.100;
  }

All hosts that get their configuration from this host are told that their domain name is blackhelicopters.org 1, and that they should use the name servers 192.0.2.5 and 192.0.2.10 2. The client can be configured to ignore or override this DHCP configuration, but you can’t prevent local sysadmins from hanging themselves.

Each subnet needs its own configuration. Even if you have only one subnet, you must still have a subnet statement defining the IP network for that subnet so that dhcpd can determine which clients get which configuration. This example defines the configuration for clients on the network at 198.51.100.0/24 3. Everything inside the brackets that follow applies only to hosts on this subnet.

The routers option at 4 identifies the default gateway for this network. Because the dhcpd server won’t let you define additional static routes to feed to clients, your local network router must have proper routes to reach the destination. If you have multiple gateways on your local network, your default router should send an ICMP redirect to the DHCP client to correct its routing. (You don’t unilaterally block ICMP from your firewalls, do you?)

The range keyword gives the IP addresses that the DHCP server can assign to clients. In this example, the DHCP server controls the addresses 198.51.100.51 to 198.51.100.100, inclusive 5. If 52 dynamic clients connect simultaneously, the last client won’t get an address.

This configuration should get your clients on the network.

You can tell your DHCP server to assign a specific address to specific hosts by specifying the Ethernet address of the client in the configuration and using a stanza within the subnet statement. Here’s the earlier DHCP configuration with a static entry added:

 subnet 198.51.100.0 netmask 255.255.255.0 {
    option routers 198.51.100.1;
    host lucas-desktop {
        hardware ethernet 00:cf:01:b1:9b:07;
        fixed-address 192.0.2.254;
    }
}

I’ve found the MAC address of my workstation, and used it to assign a static IP address to that machine. This client machine inherits the default router from the subnet definition, as well as any default DHCP information.

Enable dhcpd in rc.conf.local.

dhcpd_flags=""

If you have only one network-facing interface, dhcpd will automatically listen for DHCP requests on that interface. If you have multiple interfaces, give the interface name as an argument. For example, here’s how to tell dhcpd to listen for requests only on the interface fxp1:

dhcpd_flags="fxp1"

The interface name must be the last dhcpd argument in rc.conf.local. If dhcpd needs to handle several interfaces, the list of interfaces must come after any other arguments in dhcpd_flags.

The OpenBSD packet filtering system includes tables, which are lists of IP addresses that the packet filter applies rules to. Traffic from IP addresses in tables can be blocked, have its bandwidth throttled or prioritized, or be allowed to pass. Each table has a unique name.

The dhcpd server can add addresses to packet filter tables, thereby dynamically changing the firewall rules depending on whether an IP address is leased. Here, we’ll look at configuring dhcpd to give addresses to the packet filter tables. Chapter 21 discusses how to configure the packet filter to handle addresses from dhcpd.

DHCP considers IP addresses in its address pool to be in one of three states: leased, abandoned, or changed. Leased addresses are addresses assigned to a host attached to the network. Use -L to give dhcpd the name of the packet filter table for leased addresses, and then configure the packet filter to allow or deny those addresses access to the rest of the network.

Abandoned addresses are ones that have been assigned to a host, but that are not currently in use. In practice, that means that if you shut down your laptop, the DHCP server will consider the IP address assigned to it abandoned. The problem with that is that unauthorized users might try to get on the network by taking an unused address from the address pool, without going through the DHCP server. To address this problem, give the packet filter the list of addresses not in use, and give illicit network hosts their own special packet filter rules. Use the -A argument to tell dhcpd the name of the packet filter table for abandoned addresses.

If a host changes its address despite the DHCP server’s configuration instructions, the DHCP server considers the address changed, and dhcpd can add its new address to the changed address table. Use the -C argument to tell dhcpd the name of the changed address table. (In Chapter 21, we’ll do something interesting with these tables.)

dhcpd_enable="-A table1 -L table2 -C table3 fxp1"