Debian 12 freeradius 3.0.27 DHCP не могу найти ошибку

375689 · 26 сентября 2025, 12:31:07

Добрый день. Поднял тестовый сервер для отработки dhcp сервера на радиус сервере.
По мануалу активировал dhcp. Ошибок нет, сам сервер работает, dhcp ip не выдает. Не могу понять куда дальше копать.
Параметры сетевые сервера:
auto enX0
iface enX0 inet manual

auto enX0.10
iface enX0.10 inet static
address 33.168.1.62/24
gateway 33.168.1.1
dns-nameservers 8.8.8.8

auto enX0.253
iface enX0.253 inet static
address 193.168.2.233/24

Параметры dhcp сервера:

sites-enabled/dhcp

# -*- text -*-
######################################################################
#
# This is a virtual server that handles DHCP.
#
# See raddb/mods-available/dhcp_sqlippool for the IP Pool configuration.
#
# See raddb/policy.d/dhcp_sqlippool for the "glue" code that allows
# the RADIUS based "sqlippool" module to be used for DHCP.
#
# See raddb/mods-config/sql/ippool/ for the schemas.
#
# See raddb/sites-available/dhcp for instructions on how to configure
# the DHCP server.
#
# $Id: 4f5ed5102a6c9fed3c352b3666faafe5b2f86c11 $
#
######################################################################

#
# The DHCP functionality goes into a virtual server.
#
server dhcp {

# Define a DHCP socket.
#
# The default port below is 6700, so you don't break your network.
# If you want it to do real DHCP, change this to 67, and good luck!
#
# You can also bind the DHCP socket to an interface.
# See below, and raddb/radiusd.conf for examples.
#
# This lets you run *one* DHCP server instance and have it listen on
# multiple interfaces, each with a separate policy.
#
# If you have multiple interfaces, it is a good idea to bind the
# listen section to an interface. You will also need one listen
# section per interface.
#
# FreeBSD does *not* support binding sockets to interfaces. Therefore,
# if you have multiple interfaces, broadcasts may go out of the wrong
# one, or even all interfaces. The solution is to use the "setfib" command.
# If you have a network "10.10.0/24" on LAN1, you will need to do:
#
# Pick any IP on the 10.10.0/24 network
# $ setfib 1 route add default 10.10.0.1
#
# Edit /etc/rc.local, and add a line:
# setfib 1 /path/to/radiusd
#
# The kern must be built with the following options:
# options ROUTETABLES=2
# or any value larger than 2.
#
# The other only solution is to update FreeRADIUS to use BPF sockets.
#
listen {
# This is a dhcp socket.
type = dhcp

# transport = udp
# IP address to listen on. Will usually be the IP of the
# interface, or 0.0.0.0
ipaddr = 0.0.0.0

# source IP address for unicast packets sent by the
# DHCP server.
#
# The source IP for unicast packets is chosen from the first
# one of the following items which returns a valid IP
# address:
#
# src_ipaddr
# ipaddr
# reply:DHCP-Server-IP-Address
# reply:DHCP-DHCP-Server-Identifier
#
src_ipaddr = 193.168.2.233
ipaddr = 193.168.2.0/24
reply:DHCP-DHCP-Server-Iden = 193.168.2.233
# The port should be 67 for a production network. Don't set
# it to 67 on a production network unless you really know
# what you're doing. Even if nothing is configured below, the
# server may still NAK legitimate responses from clients.
port = 67
client_port = 68
# Interface name we are listening on. See comments above.
interface = enX0.253

# The DHCP server defaults to allowing broadcast packets.
# Set this to "no" only when the server receives *all* packets
# from a relay agent. i.e. when *no* clients are on the same
# LAN as the DHCP server.
#
# It's set to "no" here for testing. It will usually want to
# be "yes" in production, unless you are only dealing with
# relayed packets.
broadcast = yes

# On Linux if you're running the server as non-root, you
# will need to do:
#
# sudo setcap cap_net_admin=ei /path/to/radiusd
#
# This will allow the server to set ARP table entries
# for newly allocated IPs

# De-duplicate DHCP packets. If clients don't receive
# a reply within their timeout, most will re-transmit.
# A reply to either packet will satisfy, so de-duplicating
# helps manage load on a busy server
performance {
skip_duplicate_checks = yes
}
}

# Packets received on the socket will be processed through one
# of the following sections, named after the DHCP packet type.
# See dictionary.dhcp for the packet types.

# Return packets will be sent to, in preference order:
# DHCP-Gateway-IP-Address
# DHCP-Client-IP-Address
# DHCP-Your-IP-Address
# At least one of these attributes should be set at the end of each
# section for a response to be sent.

# An internal attribute of DHCP-Network-Subnet is set to provide
# a basis for determining the network that a client belongs to. This
# is a hierarchical assignment based on:
#
# - DHCP-Relay-Link-Selection
# - DHCP-Subnet-Selection-Option
# - DHCP-Gateway-IP-Address
# - DHCP-Client-IP-Address
#
# Except for cases where all IP allocation is performed using a mapping from
# the device MAC address to a fixed IP address the DHCP configuration will
# involve the use of one or more pools.
#
# Each pool should be composed of a set of equally valid IP addresses for the
# devices designated as users of the pool. During IP allocation the choice of
# pool is driven by setting the Pool-Name attribute which may either be
# specified directly or chosen (usually with the help of the dhcp_network
# module) based on the initial value of DHCP-Network-Subnet.
#
# DHCP-Network-Subnet indicates the network from which the request is
# originating. In cases where the originating network alone is insufficent to
# define the required IP allocated policy, DHCP-Network-Subnet may be
# overridden to force the selection of a particular pool.
#
# IP addresses belonging to a single pool that is designated for a Layer 2
# network containing multiple subnets (a "shared-network" or "multinet"
# configuration as defined by some other DHCP servers), will by definition be
# members of distinct subnets that require their own DHCP reply parameters. In
# this case the dhcp_subnet policy can be used to set the correct
# DHCP-Subnet-Mask, DHCP-Router-Address and DHCP-Broadcast-Address options
# based on the allocated IP.

dhcp DHCP-Discover {

# The DHCP Server Identifier is set here since is returned in OFFERs
update control {
&DHCP-DHCP-Server-Identifier = 193.168.2.233
}

# Call a policy (defined in policy.d/dhcp) to set common reply attributes
dhcp_common

# Use a "passwd" module to set group memberships in DHCP-Group-Name
# Enable mods-available/dhcp_passwd to use this
#dhcp_group_membership

# If clients need to be assigned to a particular network based on
# an attribute in the packet rather than the calculated
# DHCP-Network-Subnet described above, then call a policy
# (defined in policy.d/dhcp) to perform the override
#dhcp_override_network

# Use a "files" module to lookup global and subnet options
# For multiple subnets use this in place of dhcp_common
# Enable mods-available/dhcp_files to use this
# Options are set in mods-config/files/dhcp
#dhcp_network

# Do a simple mapping of MAC to assigned IP.
#
# See below for the definition of the "mac2ip"
# module.
#
mac2ip

# Or, allocate IPs from the DHCP pool in SQL. You may need to
# set the pool name here if you haven't set it elsewhere.
#update control {
# &Pool-Name := "local"
#}
#dhcp_sqlippool

# If the IP address was not allocated, do something else.
# You could call a Perl, Python, or Java script here.
#if (notfound) {
# ...
#}

# "Shared-networks" may have multiple IP subnets co-existing in a
# single Layer 2 network. If the pool for the network contains
# addresses from more that one subnet then the setting subnet-specific
# DHCP-Subnet-Mask, DHCP-Router-Address and DHCP-Broadcast-Address
# parameters must be performed after the allocation of the IP address.
#
# Set any subnet-specific parameters using this policy.
#
# Enable mods-available/dhcp_files AND uncomment dhcp_subnet in
# policy.d/dhcp to use this.
#
#dhcp_subnet

# Use a "files" module to lookup options based on DHCP-Group-Name
# Enable mods-available/dhcp_files to use this
# Options are set in mods-config/files/dhcp
#dhcp_group_options

# Use a "files" module to lookup host specific options
# Enable mods-available/dhcp_files to use this
# Options are set in mods-config/files/dhcp
#dhcp_hosts

# As an alternative or complement to configuration files based lookup
# for options data you can instead use an SQL database. Example
# configuration is found in dhcp_policy_sql in policy.d/dhcp which
# will need to be adapted to your requirements.
#dhcp_policy_sql

# Set the type of packet to send in reply.
#
# The server will look at the DHCP-Message-Type attribute to
# determine which type of packet to send in reply. Common
# values would be DHCP-Offer, DHCP-Ack or DHCP-NAK. See
# dictionary.dhcp for all the possible values.
#
# DHCP-Do-Not-Respond can be used to tell the server to not
# respond.
#
# In the event that DHCP-Message-Type is not set then the
# server will fall back to determining the type of reply
# based on the rcode of this section.
#
#update reply {
# DHCP-Message-Type = DHCP-Offer
#}
#
# If DHCP-Message-Type is not set, returning "ok" or
# "updated" from this section will respond with a DHCP-Offer
# message.
#
# Other rcodes will tell the server to not return any response.
#
#ok
}

dhcp DHCP-Request {

# You must set the DHCP Server Identifier here since this is returned
# in ACKs and is used to determine whether a request containing a
# "server-ip" field is intended for this server
update control {
&DHCP-DHCP-Server-Identifier = 193.168.2.233
}

# If the request is not for this server then silently discard it
if (&request:DHCP-DHCP-Server-Identifier && \
&request:DHCP-DHCP-Server-Identifier != &control:DHCP-DHCP-Server-Identifier) {
do_not_respond
}

# Response packet type. See DHCP-Discover section above.
#update reply {
# &DHCP-Message-Type = DHCP-Ack
#}

# Call a policy (defined in policy.d/dhcp) to set common reply attributes
dhcp_common

# Use a "passwd" module to set group memberships in DHCP-Group-Name
# Enable mods-available/dhcp_passwd to use this
#dhcp_group_membership

# Optionally override the network address based on client attributes
# See Discover section
#dhcp_override_network

# Use a "files" module to lookup global and subnet options
# For multiple subnets use this in place of dhcp_common
# Enable mods-available/dhcp_files AND uncomment dhcp_subnet in
# policy.d/dhcp to use this
# Options are set in mods-config/files/dhcp
#dhcp_network

# Do a simple mapping of MAC to assigned IP.
#
# See below for the definition of the "mac2ip"
# module.
#
#mac2ip

# Or, allocate IPs from the DHCP pool in SQL. You may need to
# set the pool name here if you haven't set it elsewhere.
# update control {
# &Pool-Name := "local"
# }
# dhcp_sqlippool_request

# If the IP was not allocated, do something else.
# You could call a Perl, Python, or Java script here.
#if (notfound) {
# ...
#}

# "Shared-networks" may have multiple IP subnets co-existing in a
# single Layer 2 network. If the pool for the network contains
# addresses from more that one subnet then the setting subnet-specific
# DHCP-Subnet-Mask, DHCP-Router-Address and DHCP-Broadcast-Address
# parameters must be performed after the allocation of the IP address.
#
# Set any subnet-specific parameters using this policy.
#
#dhcp_subnet

# Use a "files" module to lookup options based on DHCP-Group-Name
# Enable mods-available/dhcp_files to use this
# Options are set in mods-config/files/dhcp
#dhcp_group_options

# Use a "files" module to lookup host specific options
# Enable mods-available/dhcp_files to use this
# Options are set in mods-config/files/dhcp
#dhcp_hosts

# As an alternative or complement to configuration files based lookup
# for options data you can instead use an SQL database. Example
# configuration is found in dhcp_policy_sql in policy.d/dhcp which
# will need to be adapted to your requirements.
#dhcp_policy_sql

# If DHCP-Message-Type is not set, returning "ok" or
# "updated" from this section will respond with a DHCP-Ack
# packet.
#
# "handled" will not return a packet, all other rcodes will
# send back a DHCP-NAK.
#
#ok
}

#
# Other DHCP packet types
#
# There should be a separate section for each DHCP message type.
# By default this configuration will ignore them all. Any packet type
# not defined here will be responded to with a DHCP-NAK.

dhcp DHCP-Decline {

# Use a "passwd" module to set group memberships in DHCP-Group-Name
# Enable mods-available/dhcp_passwd to use this
#dhcp_group_membership

# Optionally override the network address based on client attributes
# See Discover section
#dhcp_override_network

# Use a "files" module to lookup global and subnet options
# For multiple networks use this in place of dhcp_common
# Enable mods-available/dhcp_files to use this
# Options are set in mods-config/files/dhcp
#dhcp_network

# Use a policy that set options from data stored in an SQL database
#dhcp_policy_sql

# If using IPs from a DHCP pool in SQL then you may need to set the
# pool name here if you haven't set it elsewhere and release the IP.
# update control {
# &Pool-Name := "local"
# }
# dhcp_sqlippool_decline

update reply {
&DHCP-Message-Type = DHCP-Do-Not-Respond
}
reject
}

#
# A dummy config for Inform packets - this should match the
# options set in the Request section above, except Inform replies
# must not set Your-IP-Address or IP-Address-Lease-Time
#
dhcp DHCP-Inform {
# Call a policy (defined in policy.d/dhcp) to set common reply attributes
dhcp_common

# Use a "passwd" module to set group memberships in DHCP-Group-Name
# Enable mods-available/dhcp_passwd to use this
#dhcp_group_membership

# Optionally override the network address based on client attributes
# See Discover section
#dhcp_override_network

# Use a "files" module to lookup global and network options
# For multiple networks use this in place of dhcp_common
# Enable mods-available/dhcp_files to use this
# Options are set in mods-config/files/dhcp
#dhcp_network

# Use a policy with calls a "files" module of the same name to lookup
# subnet options
# Enable mods-available/dhcp_files AND uncomment dhcp_subnet in
# policy.d/dhcp to use this
# Options are set in mods-config/files/dhcp
#dhcp_subnet

# Use a "files" module to lookup options based on DHCP-Group-Name
# Enable mods-available/dhcp_files to use this
# Options are set in mods-config/files/dhcp
#dhcp_group_options

# Use a "files" module to lookup host specific options
# Enable mods-available/dhcp_files to use this
# Options are set in mods-config/files/dhcp
#dhcp_hosts

# Use a policy that set options from data stored in an SQL database
#dhcp_policy_sql

ok
}

#
# For Windows 7 boxes
#
#dhcp DHCP-Inform {
# update reply {
# Packet-Dst-Port = 67
# DHCP-Message-Type = DHCP-ACK
# DHCP-DHCP-Server-Identifier = "%{Packet-Dst-IP-Address}"
# DHCP-Site-specific-28 = 0x0a00
# }
# ok
#}

dhcp DHCP-Release {

# Use a "passwd" module to set group memberships in DHCP-Group-Name
# Enable mods-available/dhcp_passwd to use this
#dhcp_group_membership

# Optionally override the network address based on client attributes
# See Discover section
#dhcp_override_network

# Use a "files" module to lookup global and subnet options
# For multiple subnets use this in place of dhcp_common
# Enable mods-available/dhcp_files to use this
# Options are set in mods-config/files/dhcp
#dhcp_network

# If using IPs from a DHCP pool in SQL then you may need to set the
# pool name here if you haven't set it elsewhere and release the IP.
# update control {
# &Pool-Name := "local"
# }
# dhcp_sqlippool_release

update reply {
&DHCP-Message-Type = DHCP-Do-Not-Respond
}
reject
}

dhcp DHCP-Lease-Query {
# The thing being queried for is implicit
# in the packets.

# has MAC, asking for IP, etc.
if (&DHCP-Client-Hardware-Address) {
# look up MAC in database
}

# has IP, asking for MAC, etc.
elsif (&DHCP-Your-IP-Address) {
# look up IP in database
}

# has host name, asking for IP, MAC, etc.
elsif (&DHCP-Client-Identifier) {
# look up identifier in database
}
else {
update reply {
&DHCP-Message-Type = DHCP-Lease-Unknown
}

ok

# stop processing
return
}

#
# We presume that the database lookup returns "notfound"
# if it can't find anything.
#
if (notfound) {
update reply {
&DHCP-Message-Type = DHCP-Lease-Unknown
}
ok
return
}

#
# Add more logic here. Is the lease inactive?
# If so, respond with DHCP-Lease-Unassigned.
#
# Otherwise, respond with DHCP-Lease-Active
#

#
# Also be sure to return ALL information about
# the lease.
#

#
# The reply types are:
#
# DHCP-Lease-Unknown
# DHCP-Lease-Active
# DHCP-Lease-Unassigned
#
update reply {
&DHCP-Message-Type = DHCP-Lease-Unassigned
}

}

}

######################################################################
#
# This next section is a sample configuration for the "passwd"
# module, that reads flat-text files. It should go into
# radiusd.conf, in the "modules" section.
#
# The file is in the format <mac>,<ip>
#
# 00:01:02:03:04:05,192.0.2.100
# 01:01:02:03:04:05,192.0.2.101
# 02:01:02:03:04:05,192.0.2.102
#
# This lets you perform simple static IP assignment.
#
# There is a preconfigured "mac2ip" module setup in
# mods-available/mac2ip. To use it do:
#
# # cd raddb/
# # ln -s ../mods-available/mac2ip mods-enabled/mac2ip
# # mkdir mods-config/passwd
#
# Then create the file mods-config/passwd/mac2ip with the above
# format.
#
######################################################################

# This is an example only - see mods-available/mac2ip instead; do
# not uncomment these lines here.
#
#passwd mac2ip {
# filename = ${confdir}/mac2ip
# format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
# delimiter = ","
#}

Параметры policy.d/dhcp:

Спойлер

# Assign common DHCP reply packet options
dhcp_common {
# The contents here are invented. Change them!
update reply {
&DHCP-Domain-Name-Server = 77.88.8.8
&DHCP-Domain-Name-Server += 8.8.8.8
&DHCP-Subnet-Mask = 255.255.255.0
&DHCP-Gateway-IP-Address = 193.168.2.233
# &DHCP-Router-Address = 193.168.2.233
# &DHCP-Broadcast-Address = 192.0.2.255
&DHCP-IP-Address-Lease-Time = 7200
&DHCP-DHCP-Server-Identifier = &control:DHCP-DHCP-Server-Identifier
}
}

# Lookup DHCP group based options. This policy allows for membership
# of multiple groups so can cover the ISC concepts of "group" and "class"
# To use this enable the "dhcp_files" module
#dhcp_group_options {
# foreach &request:DHCP-Group-Name {
# dhcp_set_group_options
# }
#}

# Policy to override DHCP-Network-Subnet
#
# Some networks have a "shared-network" or "multinet" configuration (as
# defined by some other DHCP servers) in which multiple IP subnets may
# co-exist in a single Layer 2 network (or VLAN).
#
# In enterprise environments this is often for the purpose of providing loose
# segregation between classes of devices such as local network-attached
# storage or IP telephony. There are valid reasons why each of the subnets is
# not seperately VLANed, such as to enable the use of ICMP redirects to avoid
# hairpinning of cross-subnet traffic via a gateway.
#
# In ISP environments this is a common configuration for edge networks whose
# access is provided by DOCSIS cable modems that share a VLAN with the devices
# they provide a service to but are seperately addressed.
#
# Where it is necessary to force the selection of a particular subnet for a
# device, multiple pools must be configured for each subnet and referenced
# with unique identifiers in the *network-specific* section of
# mods-config/files/dhcp.
#
# By default DHCP-Network-Subnet is populated such that it normally
# refers to the Layer 2 network from which the DHCP query originates - we
# cannot know the intended subnet for the device without additional input to
# the policy.
#
# Override DHCP-Network-Subnet to be an address within the desired
# network to force selection of a particular address pool and/or network
# parameters.
#
# Note: If each subnet within a network is equally valid for the DHCP requests
# originating from that network then you do not need to call this policy,
# rather look at the examples concerning dhcp_subnet in
# mods-config/files/dhcp instead, which use a single pool containing addresses
# from all subnets then set the correct subnet-specific options based on the
# randomly assigned IP address.
#
#dhcp_override_network {
# if (&DHCP-Vendor-Class-Identifier && &DHCP-Vendor-Class-Identifier == "SIP100")
# update request {
# DHCP-Network-Subnet := 10.10.0.0
# }
# }
#}

# Policy that calls the files instance of the same name after first making
# DHCP-Network-Subnet specific to the allocated IP address of the client.
#dhcp_subnet {
# update {
# &DHCP-Network-Subnet := "%{%{reply:DHCP-Your-IP-Address}:-%{DHCP-Client-IP-Address}}"
# }
#
# # Call the dhcp_subnet instance of the files module
# dhcp_subnet
#}

# Assign compatibility data to request for sqlippool for DHCP Request
dhcp_sqlippool_request {

#
# During initial address selection (DORA) the REQUEST is broadcast and
# requested-ip must be provided. We revoke any active offers for addresses
# not matching the requested-ip, i.e. those made by other servers when
# processing the DISCOVER.
#
# If there is only a single server then this optimisation can be disabled.
#
if (&DHCP-Requested-IP-Address) {
update request {
&Acct-Status-Type := Start
}
dhcp_sqlippool.accounting
}

# Extend an existing offer or active lease
update request {
&Acct-Status-Type := Alive
}
dhcp_sqlippool.accounting {
notfound = return
}

update reply {
&DHCP-Your-IP-Address := "%{%{DHCP-Requested-IP-Address}:-%{DHCP-Client-IP-Address}}"
}

}

# Assign compatibility data to request for sqlippool for DHCP Release
dhcp_sqlippool_release {

# Do some minor hacks to the request so that it looks
# like a RADIUS Accounting Stop request to the SQL IP Pool module.
update request {
&Acct-Status-Type = Stop
}

# Call the actual module in accounting context
dhcp_sqlippool.accounting

}

# Assign compatibility data to request for sqlippool for DHCP Decline
dhcp_sqlippool_decline {

# Do a minor hack to the request so that it looks
# like a RADIUS Accounting Off request to the SQL IP Pool module.
update request {
&Acct-Status-Type = Accounting-Off
}

# Call the actual module in accounting context
dhcp_sqlippool.accounting

}

# Example policy for fetching option data from SQL
dhcp_policy_sql {

#
# Network-specific options
#

#
# We want to lookup the Layer 2 network specific DHCP options to
# include in the reply. For this we need a stable identifier for the
# network from which the request is originating (based on
# DHCP-Network-Subnet) which can be used as the lookup key
# (DHCP-SQL-Option-Identifier) for the network options.
#
# Here we fabricate an example for the purpose of placing all
# configuration elements into SQL. We use a PostgreSQL query that
# returns the network identifier in the row containing the smallest
# enclosing CIDR, which assumes a schema such as the following:
#
# CREATE TABLE fr_network_to_identifier (network CIDR, network_id TEXT)
#
# Note: An rlm_files based lookup of the network_identifier (as per
# the examples in the dhcp virtual server) may be preferable to an ad
# hoc SQL query assuming that the network topology does not change
# frequently.
#
# update control {
# &control:Tmp-String-0 := "%{dhcp_sql:SELECT network_id \
# FROM fr_network_to_identifier \
# WHERE '%{DHCP-Network-Subnet}'::inet << network \
# ORDER BY MASKLEN(network) DESC LIMIT 1;}"
# }

#
# Use the network identifer to lookup the options specific to the
# originating network, using "network" context. Common network
# settings can be placed into a group and shared, with individual
# networks mapped to one or more option groups.
#
# - Place network-specific options in the dhcpreply table with
# "context = 'network'".
# - Add "Fall-Through := Yes" to the network options in the dhcpreply
# table to trigger group lookups for the network, which are
# disabled by default.
# - Place "identifier = <network_id>, groupname = <group>,
# priority = <priority>, context = 'network'" in the dhcpgroup
# table to map a network to a shared set of network options.
# - Place group-specific options in the dhcpgroupreply table with
# "context = 'network'".
#
# Note: In "shared-network" or "multinet" topologies you can instead
# just set all of the network options once in the subnet-specific
# options (after obtaining an IP address), below.
#
# update control {
# &DHCP-SQL-Option-Context := "network"
# &DHCP-SQL-Option-Identifier := &control:Tmp-String-0
# }
# dhcp_sql.authorize

#
# Allocate IPs from the DHCP pool in SQL.
#
# Here we simply reuse the network_id (obtained previously) as the
# Pool-Name.
#
# update control {
# &Pool-Name := &control:Tmp-String-0
# }
# dhcp_sqlippool

#
# Subnet-specific options
#

#
# In "shared-network" or "multinet" topologies (in which a Layer 2
# network has a single pool that contains addresses from multiple
# subnets) it is necessary to set subnet-specific options based on the
# address that has just been allocated.
#
# Again, for this we need to derive a stable identifier for the subnet
# to which the IP address we are issuing belongs that will serve as a
# lookup key for the network options.
#
# Continuing our previous example, we can use a PostgreSQL query to
# find the subnet identifer in the row with the closest enclosing
# CIDR, which assumes a schema such as the following:
#
# CREATE TABLE fr_subnet_to_identifier (subnet CIDR, subnet_id TEXT)
#
# Note: An rlm_files based lookup of the subnet_identifier (as per the
# examples in the dhcp virtual server) is preferable to an ad hoc SQL
# query assuming that the network topology does not change frequently.
#
# update control {
# &control:Tmp-String-0 := "%{dhcp_sql:SELECT subnet_id \
# FROM fr_subnet_to_identifier \
# WHERE '%{reply:DHCP-Your-IP-Address}'::inet << subnet \
# ORDER BY MASKLEN(subnet) DESC LIMIT 1;}"
# }

#
# Use the subnet identifer to lookup the options specific to the
# subnet for the IP we are allocating, using "subnet" context. Common
# subnet settings can be placed into a group and shared, with
# individual subnets mapped to one or more option groups.
#
# - Place subnet-specific options in the dhcpreply table with
# "context = 'subnet'".
# - Add "Fall-Through := Yes" to the subnet options in the dhcpreply
# table to trigger group lookups for the subnet, which are
# disabled by default.
# - Place "identifier = <subnet_id>, groupname = <group>,
# priority = <priority>, context = 'subnet'" in the dhcpgroup
# table to map a subnet to a shared set of subnet options.
# - Place group-specific options in the dhcpgroupreply table with
# "context = 'subnet'".
#
# update control {
# &DHCP-SQL-Option-Context := "subnet"
# &DHCP-SQL-Option-Identifier := &control:Tmp-String-0
# }
# dhcp_sql.authorize

#
# Host-specific and group-specific options
#

# "Groups" conventionally differentiate devices based on manual
# groupings using a device-specific identifier such as the MAC
# address.
#
# - Place host-specific options in the dhcpreply table with
# "context = 'group'".
# - Add "Fall-Through := Yes" to the device options in the dhcpreply
# table to trigger group lookups, which are disabled by default.
# - Place "identifier = <MAC-Address>, groupname = <group>,
# priority = <priority>, context='group'" in the dhcpgroup table
# to map a device to its groups.
# - Place group-specific options in the dhcpgroupreply table with
# "context = 'group'".
#
# update control {
# &DHCP-SQL-Option-Context := "group"
# &DHCP-SQL-Option-Identifier := &request:DHCP-Client-Hardware-Address
# }
# dhcp_sql.authorize

#
# Class/subclass-specific options
#

#
# "Classes" conventionally differentiate devices based on all or part
# of one or more DHCP request options, or any combination of
# information that is available in the request or has already looked
# up from some datastore.
#
# Create multiple instances of the following block, one for each
# class. Differentiate between classes by setting
# DHCP-SQL-Option-Context uniquely.
#
# - Place "subclass"-specific options (i.e. each member of a class)
# in the dhcpreply table with "context = <class-name>".
# - For class-level options common to every member of a class,
# either:
# - Duplicate the options for each member of the subclass.
# or:
# - Add "Fall-Through := Yes" to each members options to trigger
# group lookups, which are disabled by default.
# - Map each member of the class to a group in the dhcpgroup
# table with context = '<class-name>';
# - Create the corresponding class in the dhcpgroupreply table
# with "context = '<class-name>'".
#
# update control {
# &DHCP-SQL-Option-Context := "class-vci-substring"
# &DHCP-SQL-Option-Identifier := "%{substring %{request:DHCP-Vendor-Class-Identifier} 5 4}"
# }
# dhcp_sql.authorize

}

Нужные модули активированы

root@test:/usr/local/etc/raddb# ls sites-enabled/
default dhcp
root@test:/usr/local/etc/raddb# ls mods-enabled/
always detail eap expr mac2ip passwd replicate unix
attr_filter detail.log echo files mschap preprocess soh unpack
chap digest exec linelog ntlm_auth radutmp sradutmp utf8
date dynamic_clients expiration logintime pap realm totp

Файл с привязкой ip адреса к MAC адресу создан

root@test:/usr/local/etc/raddb# cat mods-config/passwd/mac2ip
00:E0:4C:23:00:AF,193.168.2.234

Логи:

Fri Sep 26 07:48:54 2025 : Info: Signalled to terminate
Fri Sep 26 07:48:54 2025 : Info: Exiting normally
Fri Sep 26 07:53:56 2025 : Info: Debugger not attached
Fri Sep 26 07:53:56 2025 : Info: Loaded virtual server <default>
Fri Sep 26 07:53:56 2025 : Info: Loaded virtual server dhcp
Fri Sep 26 07:53:56 2025 : Warning: Ignoring "sql" (see raddb/mods-available/README.rst)
Fri Sep 26 07:53:56 2025 : Warning: Ignoring "ldap" (see raddb/mods-available/README.rst)
Fri Sep 26 07:53:56 2025 : Info: Loaded virtual server default
Fri Sep 26 07:53:56 2025 : Info: Ready to process requests

Используемые порты:

root@test:/usr/local/etc/raddb# ss -tulnp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:1812 0.0.0.0:* users:(("radiusd",pid=421,fd=8))
udp UNCONN 0 0 0.0.0.0:1813 0.0.0.0:* users:(("radiusd",pid=421,fd=9))
udp UNCONN 0 0 0.0.0.0%enX0.253:67 0.0.0.0:* users:(("radiusd",pid=421,fd=7))
udp UNCONN 0 0 [::]:1812 [::]:* users:(("radiusd",pid=421,fd=10))
udp UNCONN 0 0 [::]:1813 [::]:* users:(("radiusd",pid=421,fd=11))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=399,fd=3))
tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=399,fd=4))

На другом конце ноутбук, если ему вручную присваивать ip 234 то сервер 233 он пингует. Но по dhcp ничего не получает.

Русскоязычное сообщество Debian GNU/Linux

Debian 12 freeradius 3.0.27 DHCP не могу найти ошибку

375689