Using dhclient on WAN if on a box serving DHCP to LAN if

[Tom Evans]

On Fri, Dec 7, 2012 at 12:25 PM, Ronald Klop
<ronald-freebsd8 at klop.yi.org> wrote:
> On Fri, 07 Dec 2012 12:38:45 +0100, Tom Evans <tevans.uk at googlemail.com>
>
> What is in dhcpd.conf?
>
> Ronald.
>

dhcpd.conf is straightforward:

option domain-name "xxxxx.com";
option subnet-mask 255.255.255.0;

default-lease-time 3600;
max-lease-time 86400;
ddns-update-style none;

subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.200 192.168.1.253;
    option domain-name-servers 192.168.1.1;
    option routers 192.168.1.1;
}

Ian: I had already specified dhcpd_ifaces to be just the internal
interface, which is why it had confused me! I haven't yet got any
complaints from dhcpd about the subnet on the extif, so far as I can
see.

For clarity, this is my pf.conf, which again is very simple:

ext_if="ale0"
int_if="{ em0 }"
antispoof_if="{ lo0 em0 }"
tcp_services="{ 22 443 }"
icmp_types="{ echoreq echorep unreach }"
# options
set block-policy return
set loginterface $ext_if
set skip on lo0
# tables
table <sshguard> persist
# scrub
#match in all scrub (no-df)
# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# filter rules
block in
pass out keep state
anchor "ftp-proxy/*"
antispoof quick for $antispoof_if
block in quick on $ext_if from <sshguard> label "ssh bruteforce"
pass in on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if

Ideally, I would like the configuration to not specify the details of
the configuration. Eg, if I instead had a dynamic IP, how could I
configure that, as I would not know IP, netmask, broadcast and router
addresses beforehand.

Cheers

Tom