Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense 22.01 DHCP service skipping over IPs

    Scheduled Pinned Locked Moved DHCP and DNS
    9 Posts 3 Posters 1.2k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      GregBinSD
      last edited by

      pfSense 22.01 is the firewall/router used at our high school. There is an SSID that corresponds to the VLAN for the students' address space: VLAN 40 192.168.40.0, subnet mask 255.255.248.0 with an available range of 192.168.40.1 to 192.168.47.254. pfSense is the sole provider of DHCP addresses. All other DHCP settings are at default values (blank).

      Over the past several weeks, a "hole" has formed in the middle of the DHCP address range, and only one IP has been assigned from the 192.168.41.0 network, and only 2 IP addresses from the 192.168.42.0 network have been assigned. See the screen print of the Status / DHCP Leases screen.

      Any suggestions regarding about what steps I should take regarding this issue? ... or should I just let it climb to 192.168.47.254 and allow it to "roll over"?

      Thanks for any help.

      74e32fb4-189b-4adf-b410-26280d95972a-image.png

      Screenshot 2022-03-23 124758.png

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator @GregBinSD
        last edited by

        @gregbinsd said in pfSense 22.01 DHCP service skipping over IPs:

        or should I just let it climb to 192.168.47.254 and allow it to "roll over"?

        Yeah why would it matter? Other than some sort of OCD issues - the IPs out of the pool could be assigned completely random. But yeah dhcpd tends to count in a specific order either from the start of the pool and up, or from the top of the pool down, etc.

        Why it would of skipped is a bit odd, but you would have to look in your lease file - there could of been some reason it like a old or corrupted lease or something.. Or maybe a client requested specific IP, and that jumped it where it was counting from?

        It is a bit odd, but doesn't really matter in the big picture.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07 | Lab VMs 2.8, 25.07

        1 Reply Last reply Reply Quote 0
        • G Offline
          GregBinSD
          last edited by

          Thank you for your response, @johnpos. My OCP tendencies sometimes pop up!

          Because our high school is only 2 years old, and in another 2 years there will be twice as many IPs needed in that DHCP pool, it was making me nervous that the service might hit the top of the address pool and bonk!

          After reading your response, I think I'll sleep better tonight!

          I had to restore our firewall from XML config files after our SG-3100 bit the dust, so I switched to using my own Dell hardware running pfSense 2.6 and then switched to pfSense + 22.01. All of that turned out very well, but might have caused what I am seeing now.

          I'll check out the lease file, I'm sure to learn something.

          Thanks again for your help.

          A johnpozJ 2 Replies Last reply Reply Quote 0
          • A Offline
            akuma1x @GregBinSD
            last edited by akuma1x

            @gregbinsd If you're expecting to expand like that, it's probably time to have several different subnets running on your router/firewall pfsense box. In a setting like that, think in "departments" with their own networks, and hopefully you've got wifi gear that can support network segmentation - ie VLAN capable stuff. Sounds like you're already doing some of that. Maybe make a couple of different student SSID connections, depending on demographics - juniors, seniors, special types of access, I don't know. Got a computer class at your school? Maybe bounce some ideas off of the students, see what they think... I don't know what your networking background is, so please don't be offended by my suggestions. Maybe if you've got a tech college close that does networking stuff, you could ask them some questions.

            https://superuser.com/questions/1108245/what-are-the-disadvantages-of-using-large-subnets

            I mean, can you simply bump up your subnet mask size to say a /19 or /18? Probably, but it's going to put some stress on your pfsense box to route that many IP addresses all day long to where they need to go. Can your Dell hardware handle all of that traffic? Probably. Can your wifi gear handle that many users? By that I mean, if you expand your subnet size, and you suddenly have say 150+ students suddenly trying to connect to the same access point(s), is your gear up to the task?

            I would just suggest that you start planning on expanding your network capacity wisely. Ask questions here, many of the other members have already been in/at networks these sizes, and most likely have their stories/advice to share.

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator @GregBinSD
              last edited by

              @gregbinsd said in pfSense 22.01 DHCP service skipping over IPs:

              it was making me nervous that the service might hit the top of the address pool and bonk!

              no what happens as a dhcpd counts up or down through its pool, and it gets to the end - it then starts handing out other leases that are expired.

              So what normally happens as you start filling up a pool is it goes in order as new clients grab and IP.

              2 ---> 254

              then it just uses leases that are expired, so you might see

              45, 100, 101, 102, 145, 23, 132, etc..

              Your only problem you could run into - if you were using some really long lease were they were not expired as it ran through the pool.

              Say you had 100 IPs in your pool, and you hand out leases that were good for 30 days. And in say 20 days you ran through 100 different clients grabbing IPs.. And then on day 21 even though 90 of those clients are no longer connected.. Their leases have not expired.. So then you would run out of leases to use..

              As long as you not going to have more clients then your IP pool active - or leases not expired you will be fine.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07 | Lab VMs 2.8, 25.07

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator @akuma1x
                last edited by

                @akuma1x I concur - a /21 is pretty big L2..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07 | Lab VMs 2.8, 25.07

                1 Reply Last reply Reply Quote 0
                • G Offline
                  GregBinSD
                  last edited by

                  @akuma1x
                  I want to keep things simple, and having one big network for the one student SSID is the way that works for me, but thank you both for the advice!

                  @johnpos
                  Following your advice, I looked into the DHCP leases files. There are two "db/dhclient.leases" text files:
                  /var/db/dhclient.leases.re0 <-- current WAN interface name
                  /var/db/dhclient.leases.igb0 <-- old VLAN parent interface name

                  I had changed the VLAN parent interface from a 1Gb/s NIC (igb0) to a 10Gb/s NIC (ix0), so the /var/db/dhclient.leases.igb0 file is pointing to an unused interface.

                  The re0 WAN file has the DHCP options from the ISP, like DNS servers, time servers, etc.

                  The /var/dhcpd/var/db/dhcpd.leases file is the server's lease options to it's clients.
                  It has 427 IP addresses, but only 333 are unique, so there are duplicates in the file.

                  John, is there something I should try? I can set up a test pfSense instance based on the XML backup of the working instance, and keep it off the production network and run some testing?

                  Hey, remember the bumper sticker that said "Hold my beer, I'm goin' to try something..." ??

                  Screenshot 2022-03-24 111414.png

                  A 1 Reply Last reply Reply Quote 0
                  • A Offline
                    akuma1x @GregBinSD
                    last edited by akuma1x

                    @gregbinsd LOL, you should have led with your thread with the VLAN image... I didn't need to type even half of my suggestions. :)

                    Good luck with your project!

                    G 1 Reply Last reply Reply Quote 1
                    • G Offline
                      GregBinSD @akuma1x
                      last edited by

                      @akuma1x
                      Thank you!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.