Second NIC only to serve DHCP requests

Question

I've got a server running Lubuntu with IP 192.168.1.11/24. DHCP server is running and handing out IPs for the whole subnet.

192.168.1.1 is my home router that is routing all other traffic to 192.168.0.1 which is the router of my ISP.

Everything works as expected, the route command gives me

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         router.asus.com 0.0.0.0         UG    100    0        0 enp0s31f6
192.168.1.0     *               255.255.255.0   U     100    0        0 enp0s31f6

So all traffic is routed via 192.168.1.1.

Now I'm trying to setup a second NIC in the server. The only task for this NIC would be to hand out DHCP addresses for the 192.168.0.0/24 subnet, nothing else.

My problem: As soon as I configure the static IP address to 192.168.0.2, the routing table is updated:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    100    0        0 enp0s31f6
192.168.0.0     *               255.255.255.0   U     100    0        0 enx00e04c20e315
192.168.1.0     *               255.255.255.0   U     100    0        0 enp0s31f6

This makes sense of course, as enx00e04c20e315 now belongs to the 192.168.0.0/24 subnet and it's certainly faster to use that route for the subnet.

I tried to delete the route manually but couldn't manage.

How can I configure the enx00e04c20e315 to just handle DHCP requests and still route all other traffic through enp0s31f6 ?

Background

The setup maybe is a bit strange, so let me give some background. I'm using VLANs to separate the network. There's a default VLAN 1, where most ports are. And then there's a VLAN 2 for WAN. Only my routers WAN port and the ISP router are part of VLAN 2.

I'm trying to setup a guest WLAN on my router. For that to work, there needs to be a DHCP server on the WAN side of the router, so on VLAN 2. That's why I'm setting up a second NIC and also added it to VLAN 2. Now if any guest device connects, it should get the DHCP address from the server and go directly through 192.168.0.1 without ever reaching the internal network.

Thanks a lot

Answer 1

One option to do this would be to setup a DHCP server in a VM on your system and bridge the second NIC to the VM. Give that VM an IP address on the 192.168.0.0/24 network. It will be able to hand out addresses on that network but would retain some secure isolation from your main network. You can bridge a NIC into a VM without assigning an IP address to it and thus keep it out of your host routing tables.

Note, this still isn't completely secure as your main system would remain vulnerable to layer 2 attacks from the guest network and a compromise of the VM could potentially break out of the VM if there is a hypervisor bug. How important these considerations are to you depends on exactly how secure you're trying to make this.