DHCP static MAC/ARP entries dotted quad only?
-
This is my first pfSense install (2.0.1) but I'm an old hand at FBSD (since 1.0). I'm replacing an ancient firewall (FBSD 4.8) with pfSense, but I'm trying to maintain complete compatibility. I have many "kinda smart" devices on my network which are DHCP only, however, they need specific firewall rules. For example, my VOIP PAP gets special treatment not only for SIP, but it insists on calling home for NTP, and firmware updates, among other things. In my old ISC DHCP configuration, I use the FQDN for "fixed-address". Apparently ISC dhcpd is able to resolve the IP by itself from the DNS (BIND) - I don't know if it is done at init time or when the dhcp request is processed. What I do know is that one more potential source of IP address aliasing is eliminated.
However, I have found with pfSense that only a dotted quad (IPv4) is allowed when entering the static DHCP entries. Is there a reason for this that I am missing?
It is a bit concerning that it appears that pfSense requires that I must enter the same name & IP address at least 3 different places consistently: once as an ALIAS for filtering, once for the hosts file, and a third time for a static DHCP lease. If the IP must be moved, for example because of network reorganization or segmentation, I must remember to update each one of these or very bad and confusing things will happen. Is there a way to unify the IP <–> host name mapping?
Secondly: the first time I selected "Enable Static ARP entries" I read the warning "Note: Only the machines listed below will be able to communicate with the firewall on this NIC." too late. As soon as I clicked on "Save" my whole system died. The serial console worked, but I couldn't get in or out of the box. Only after fidgeting, rebooting, and eventually removing the new firewall from service and restoring the old one, was I finally able to get it talking again. What happened? Why is this check box a "kill your working system" button? Why does enabling static DHCP entries make everything else stop working? I'm not selecting that check box again until I can understand what's going on. Because I need my VOIP phone, that means that the pfSense box sits in the corner.
Again, have I missed something?
Andrew
PS. That's really awesome that your login can timeout while you're typing a post in, tossing it out completely and leaving you with the maximally unhelpful messages:
Your session timed out while posting. Please try to re-submit your message.
No subject was filled in.
The message body was left empty.I'm not seeing the benefit of this feature.
-
PS. That's really awesome that your login can timeout while you're typing a post in, tossing it out completely and leaving you with the maximally unhelpful messages:
Your session timed out while posting. Please try to re-submit your message.
No subject was filled in.
The message body was left empty.I'm not seeing the benefit of this feature.
I have seen this from time to time and have been able to recover by clicking on the browser back button and clicking the Post button again.
-
Secondly: the first time I selected "Enable Static ARP entries" I read the warning "Note: Only the machines listed below will be able to communicate with the firewall on this NIC." too late. As soon as I clicked on "Save" my whole system died. The serial console worked, but I couldn't get in or out of the box. Only after fidgeting, rebooting, and eventually removing the new firewall from service and restoring the old one, was I finally able to get it talking again. What happened? Why is this check box a "kill your working system" button?
It isn't a "kill your working system" button its an enable static arp entries button.
Why does enabling static DHCP entries make everything else stop working?
I presume you mean ARP rather than DHCP. I have two working pfSense systems with static DHCP entries. Static ARP uses the in-memory table to map from IP address to MAC address rather than asking the network "Who has IP address x.y.z.w?" If you want to communicate with IP address x.y.z.w and you have static ARP enabled and you haven't provided an IP address to MAC address mapping then the system won't be able to find the MAC address of the system with IP address x.y.z.w. Some people use this as a security measure.
I'm not selecting that check box again until I can understand what's going on.
That's a probably a good general strategy, perhaps a corollary of "Don't sign anything you don't understand". But some people like adventure :)
-
I guess I'm missing something. This is "Enable Static ARP entries" in the "Services: DHCP Server" page. Why would this cripple the firewall to filter on ARP entries? For some reason, I thought that these were ARP entries (linking an IP to a MAC) for static DHCP clients that should be assigned a fixed address by dhcpd. If this is not how to accomplish this goal, then I'd appreciate some help about how I go about configuring ISC dhcpd's configuration file like I have used for nearly a decade:
Group {
Compaq T300 Laptop
host windows2 {
hardware ethernet 00:d0:59:17:55:dd;
option broadcast-address 10.0.255.255;
option host-name "windows2";
fixed-address windows2.example.com;
option domain-name-servers 10.0.0.1;
option ntp-servers 10.0.0.1;
}
… -
I'd appreciate some help about how I go about configuring ISC dhcpd's configuration file like I have used for nearly a decade:
On the Services -> DHCP Server page click the "+" at the bottom of the page to add new entries to the (MAC address, IP address, Hostname, Description) table.
pfSense doesn't support as rich a set of combinations as would be available if you could edit the dhcpd configuration file yourself.
pfSense keeps its configuration information in a single configuration file. On startup, configuration files for individual utilities are regenerated from the pfSense configuration file.
-
I see now from interfaces_staticarp_configure($if_)_ that staticarp actually has nothing to do with dhcpd whatsoever. It simply cribs the MAC & IP pairs from the dhcpd configuration and uses them after issuing:
ifconfig $if staticarp
arp -d -i $if -awhich disables ARP discovery on interface $if, flushes all the existing entries, and then repopulates the ARP table with:
arp -s $ip $mac
Which can totally bone you if you have not prepared by entering any MAC & IP pairs. Other than the cryptic warning, I think it would be nice to explain that this has nothing to do with DHCP, and means disabling ARP discovery for that interface. Perhaps in the Note: or in pop-up help.
But all that still doesn't explain why IP addresses must be used instead of the FQDN?
Andrew