MPenate0/service-dhcp-whitelist
MPenate0/service-dhcp-whitelist
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
service-dhcp-whitelist/claude.md
Marcus Penate 141ac1c9dd Initial commit: DHCP whitelist service for direct link connections 
Features:
- Docker-based DHCP server with MAC address whitelisting
- Binds to specific ethernet interface only
- NO DNS/gateway advertised (direct link only, not a router)
- Configurable network parameters (subnet, DHCP range, lease times)
- Systemd service integration for Arch/Manjaro
- Test environment with isolated network (172.20.0.0/24)
- Auto-configuration script to detect network settings
- Complete Makefile with management targets

Security:
- Only responds to whitelisted MAC addresses
- deny unknown-clients configuration
- Runs in Docker container for isolation

Configuration:
- Copy .example files to create your config
- interface.conf: Network interface to bind to
- whitelist.conf: Allowed MAC addresses
- network.conf: Network parameters (optional)
2025-08-27 20:46:29 -04:00

2.1 KiB
Raw Blame History

DHCP Direct Link Only Service - Development Notes

Project Overview

This project creates a DHCP server that only responds to whitelisted MAC addresses on a specific ethernet interface. It's designed for direct link connections where only authorized devices should receive IP addresses, without any routing or DNS services.

Configuration Features

  • Binds to specific ethernet interface (configurable)
  • MAC address whitelisting (configurable)
  • NO DNS servers advertised (direct link only)
  • NO gateway/router advertised (not a NAT setup)
  • Configurable network parameters (subnet, range, lease times)

Architecture Decisions

Why Docker?

  • Isolation from host system
  • Easy deployment and management
  • Consistent environment across different systems
  • Simple cleanup and removal

Why ISC DHCP Server?

  • Mature, stable DHCP implementation
  • Extensive configuration options
  • Good documentation
  • Supports MAC address filtering natively

Network Mode: Host

The container uses host network mode because:

  • DHCP requires direct access to the physical network interface
  • DHCP uses raw sockets that don't work well with Docker's bridge networking
  • We need to bind to a specific physical interface

Implementation Details

Whitelist Implementation

The whitelist is implemented using ISC DHCP's host declarations with a deny unknown-clients directive. This ensures only explicitly defined MAC addresses receive leases.

Configuration Management

  • Local configs in config/ for development
  • System configs in /etc/dhcp-whitelist/ for production service
  • Auto-config script detects network settings automatically

Testing Strategy

  • Isolated Docker network for testing
  • Separate test client containers
  • Tests both allowed and denied MAC scenarios

Known Limitations

  1. MAC addresses can be spoofed - this is not a security solution by itself
  2. Requires host network mode which reduces container isolation
  3. Only one instance can run per interface

Future Enhancements

  • Web UI for managing whitelist
  • Logging and monitoring
  • Multiple interface support
  • Integration with network authentication systems