DO NOT set gateway via DHCP
-
Hello, this is my first post here on these forums from many to come :)
We're running pfSense 1.2.3 and we want to replace our current Windows based DHCP server with our pfSense box.
The problem is we have both LAN IPs that use NAT (private IPs) to get online, and also boxes that have public Internet IPs set on them - with respective internet gateway IP, and we don't want DHCP to automatically assign the gateway on our clients.
If we want NAT access, we can set the gateway manually, because otherwise the machines get confused as to which gateway to choose when going out and we end up with connectivity issues, so we'd need to manually adjust metrics on all clients to use the internet gateway instead - which is not really feasible.
The problem is, with pfSense, if you leave the Gateway box empty in DHCP server settings, it says it will use the default gateway by default, so I'm not sure how to make it not set any gateway at all.
Is this possible? If so, how?
-
It may not be necessary.ย Perhaps your client's software may not allow DHCP to override a locally specified configuration item.
-
Let me explain this again, each client has at least two interfaces:
LAN
DMZDMZ has a gateway assigned, but if LAN gets its settings by DHCP, it also gets a gateway assigned to it because I can't seem to configure pfSense to not send one.
The system gets confused on which gateway to use unless the metric on the DMZ interface is lower than LAN.
Any ideas? Maybe this can be done by config file hacking somehow?
-
Why do you have clients connected to the dmz and the lan this defeats the purpose of a dmz
-
Well, ignore the name DMZ in that case - the names don't necessarily reflect actual network conditions. Consider it OPT1. :)
In any case, the clients would end up with two gateways, which is something that I need to avoid.
I think this is a case of a default setting hurting more then helping. It should be an explicit setting whether you want the gateway applied or not.
It's definitely something that pfSense 2.0 should let you configure (if it doesn't already). In the mean time, is there a manual way to disable the default gw option for DHCP?
-
You shouldn't be mixing public and private IPs on the same broadcast domain (switch/vlan) in that way.
If it's really on OPT1, it wouldn't be picking up DHCP from things on the LAN.
With a properly segmented and routed network, a hack like dhcp without a gateway wouldn't be needed.
-
It's not the same broadcast domain. They're two separate interfaces (NICs) on separate subnets on separate network switches. One is connected to a subnet with a gateway, the other needs to take its IP by DHCP but pfSense also sends its own gateway.
We want to prevent that. I don't see anything particularly wrong with the way this network is segmented. We want only DHCP assigned IPs without the gateway.
What we need to do is definitely not a hack. Any other DHCP server software lets you specify if you want to set a gateway, and we're currently using Microsoft DHCP server but we wanted to replace it with the pfSense box. This is currently preventing us from doing so.
pfSense's artificial limitation here is holding us back from using it as a DHCP server. Is there really no way to work around this behavior?
-
No real way around that, not without editing the code.
Still seems ill-designed to me, but to each their own I suppose.
The cheap way around it would be to set the gateway to your subnet's null route (.0)
-
Hello,
I'm currently evaluating pfsense, and have some similiar questions regarding interfacing with a local authoritative name server.
As a solution to the issue in this thread, could /usr/local/etc/dhcpd.conf be edited directly?
Login via ssh, edit the file to remove the line:
option routers 192.168.0.1;
from the "subnet" declaration, then restart dhcpd.
Can pfsense accomodate manual editing of conf files in parallel with webapp service administration?
Thanks!
johnea
-
As a solution to the issue in this thread, could /usr/local/etc/dhcpd.conf be edited directly?
A number of configuration files are regenerated from the pfSense configuration file on startup. I presume dhcpd.conf is one such file.
-
As a solution to the issue in this thread, could /usr/local/etc/dhcpd.conf be edited directly?
A number of configuration files are regenerated from the pfSense configuration file on startup. I presume dhcpd.conf is one such file.
Thanks Bob!
I'm really hoping pfsense will let me use that convenient web interface most of the time and then ge tunder the hood with a freebsd command line whenever I need "something more".
I found this wiki entry regarding manually editing the pf filter rule files:
http://doc.pfsense.org/index.php/How_can_I_edit_the_PF_rulesetIf you really do need to edit the generated rules, you will have to edit /etc/inc/filter.inc which generates the ruleset.
Would this also apply to other webgui supported services such as dhcpd?
johnea
-
If you really do need to edit the generated rules, you will have to edit /etc/inc/filter.inc which generates the ruleset.
Would this also apply to other webgui supported services such as dhcpd?
Yes, there would likely be a service dependent file to be edited.
