VLAN on ISC DHCPd server

[Thurisaz]

Due to the safety issues I have to configure a VLAN to set the "nameless" (undiscoverable) client hosts in it and deny (via IPFW) any access to the servers, except ports 143 and 587 on the mail server. How it can be set up most effectively?
Server runs FreeBSD-13.1, has dhcpd, BIND 9.16, iRedMail, has 2 active NICs: one to the ISP, another on LAN. Also it has a spare NIC yet to be tested for issues.

 

[subnetspider]

So I assume you want to provide DHCP leases to some untrusted clients on a VLAN network and only give them access to a mail server.
Both the mail server and the dhcpd DHCP server run on the same FreeBSD host secured with the ipfw firewall.
You also mentioned that the FreeBSD host runs a DNS server, and I assume you haven't created the VLAN interface for the untrusted network yet?

Is your question now only related to setting up your DHCP server or also to all the other things?

 

[Thurisaz]

My question is to organize a parallel VLAN to distinguish the untrusted client hosts, often being borrowed from outside the Institute's LAN and thus their safety is compromised. To prevent malicious behavior from those hosts that can be infected, I have to set them into that VLAN and limit their capabilities to ISP WAN and IMAP/SMTP ports. No capabilities, not even a chance to access SSH consoles, Samba shares or SMB shared folders, not a thing that would help a malicious agent to propagate.

 

[VladiBG]

You need a method do authorize / distinguishes the good from bad clients. Then your clients must be connected on managed access switch which support 802.1x with VLAN assignment or WLAN with dedicated SSID to VLAN. After you have your clients on two different VLANs it's easy to create a different firewall rules to allow / deny the traffic depending of the VLAN interface.

If you don't have RADIUS server in your network then the only option is to provide a dedicated switch with trunk port which is limited only to the guest vlan and all clients on that switch will be isolated into this guest vlan.

DHCP is just a service to provide the IP address and options to the clients in the VLAN segment. It should not be used to separate the unknown hosts into a different subnet as it can be easy avoided by malicious client by setting the static ip address and getting the same access as other trusted host.

 

[Thurisaz]

The next question is how to route the unknown hosts through the different server. The 'shared-network' clause with overlapping subnets inside seems to misinterprete deny/allow members of %class% statements as not statements or declarations. Either a class described before the shared-network, or as a common parameter for it, the result is the same. Can I set the option-router as a specific option for a pool inside the rather big (255.255.254.0, or /23) subnet?
P.S. There is another DHCP server, running on Ubuntu Linux, also this server has separate ISP and formerly authoritative DNS for agrophys.local pseudo-zone.