Table of Contents

About

Suppose you have a DHCP-enabled network where some firewall restrictions are imposed on a range of addresses and that you have a set of connecting Windows clients for which all the firewall rules have to be bypassed. In that case, the easiest way would be to use DHCP to place the Windows clients in a separate network and adapt the firewall rules accordingly. This can be achieved with DHCP option 77 sent by Windows clients in case they have a configured interface class id.

Setting up Windows

The first thing to do is to assign a class ID to the Windows clients by using the ipconfig option in a Windows command prompt with elevated privileges. For example for the adapter called Local Area Network you would issue the command:

ipconfig /setclassid "Local Area Network" punchthrough

which will set the class identifier to punchthrough on the Local Area Network adapter. To see the changes, you would issue:

ipconfig /all

and look for the line starting with DHCPv4 Class ID.

Configuring ISC DHCPd

To configure the ISC DHCPd server, you would edit your existing configuration file (usually placed at /etc/dhcpd/dhcpd.conf and add assign the option 77 and then configure DHCP class that would match the punchthrough client ID sent by the Windows clients.

To configure option 77 for DHCPd, you would add in the DHCPd configuration file in a global scope:

option windows-class-id code 77 = string;

where windows-class-id is any name you want to assign to code 77.

After that, configure a class that matches the client identifier sent by Windows:

class "punchthrough" {
    match if option windows-class-id = "punchthrough";
}

Finally, in the subnet declaration, you can configure two separate pools. Suppose we want to give the clients that send a puncthrough class ID a range of addresses 192.168.0.100 to 192.168.0.200 and all the other clients a range of addresses 192.168.0.50 to 192.168.0.80. Then we would configure DHCP as:

subnet 192.168.0.0 net mask 255.2555.255.0 {
    option routers 192.168.0.1; # router is at 192.168.0.1
    # more global options...
    
    # Windows clients sending class ID "punchthrough" will be matched in this pool.
    pool {
        allow members of "punchthrough";
        range 192.168.0.100 192.168.0.200;
    }
    
    pool {
        deny members of "punchthrough";
        range 192.168.0.50 192.168.0.80;
    }
}

Monitoring Traffic

To check that the setup is in order, you can use tcpdump and check the appropriate ports for DHCP messages. Most likely, when you issue on the Windows machine:

ipconfig /renew

you will see traffic sent by the client, amongst which:

	    CLASS Option 77, length 12: "punchthrough"

which should be matched by DHCP if the setup is correct.