New DHCP client received an IP address despite of "Deny unknown clients"

vodolej

I have pfSense 2.1.3 and two VLAN's:

• LAN (VLAN 1) is private, DHCP option "Deny unknown clients" is set
• VLAN 2 is public, DHCP option "Deny unknown clients" is not set

If I connect any unknown client to the LAN (VLAN 1), it doesn't get the IP Address. That's correct.

One client from my guest was connected to the VLAN 2 and received as expected the IP Address. After that it was connected to my LAN, but it received a new IP Address from the DHCP-Server on LAN, which was definitely not expected. I was very surprised.

Can it be, that the setting "Deny unknown clients" doesn't distinguish between VLAN's?

divsys

Can you post your interface and  your DHCP server settings for VLAN1 and VLAN2?

vodolej

Interface and DHCP Settings as requested…

divsys

Well the first thing I noticed is that you don't appear to have two VLAN's at all.  It looks like a normal LAN assigned to vr0 and VLAN2 assigned to vr0.

Usually you would create 2 separate VLANS with their own subnets, and assign them to vr0.  You configure your switch to route each of the tagged VLAN Id's to the port(s) you want.

You don't connect to the LAN subnet at all (you can, but it complicates the current picture).

I would try to simplify your setup by creating VLAN1 on its own subnet attached to vr0 and build from there

vodolej

Some of my clients don't support VLAN-tagging. All untagged packets are automatically tagged by the switch with VLAN1, so there are definitely 2 VLAN's. I don't see, why and how it can be simplified.

The VLAN-config is not my problem. Is there any dependency, why a guest client receives IP-Address from the DHCP-Server, what is explicitely not allowed?

divsys

Some of my clients don't support VLAN-tagging. All untagged packets are automatically tagged by the switch with VLAN1, so there are definitely 2 VLAN's.

Your clients don't need to support VLAN -tagging.  Pfsense and your switch need to understand the tagging.  If you configure them properly, the switch will tag and untag packets for the correct ports and pfsense will route tagged packets to the correct VLAN interface(s) that you create.  Your clients are involved in the VLAN tagging at all, they just get whatever traffic the switch decides should come out of (or tag traffic going into) their physical port.

Can you post a screenshot of your "Interfaces->(assign)-VLANs" and the edit screen for both VLAN1 and VLAN2?

vodolej

As I see, the discussion goes into wrong direction and doesn't touch my problem.

Can anybody explain me, why the DHCP server gives a address to the client, what is explicitely not allowed?

divsys

The way the DHCP server works is documented: https://doc.pfsense.org/index.php/DHCP_Server

From that page:

Deny Unknown Clients / Static ARP

Using the "Deny unknown clients" option, you can disallow DHCP access to any client which is not listed in the list at the bottom of the page. Similarly, you can also enable Static ARP to further restrict access so that only those clients listed can even talk to the pfSense router.

To create entries for Client access/Static ARP, click "+" at the bottom of the page just like adding a Static IP mapping. Enter a MAC address, hostname and description. You can leave the IP address blank to have it pull from the pool. As with the Static IP mappings, these can also be created from the DHCP Leases view.

Have you created a list of "known clients"? Your screen shot doesn't show this.

What are the firewall rules allowing/disallowing traffic between your two networks, please post a screenshot.
If a client obtains an IP on LAN and then you move it to VLAN2, it will attempt to keep the address from LAN. If DHCP traffic is allowed between the nets, it will keep the address.

vodolej

Yes, in LAN there is a list of known clients, I'm not going to post it.
In the VLAN2 are no "known clients" registered, it is a guest VLAN.

There are no rules for any traffic between VLAN's. VLAN2 has only internet access.

You are looking for the problem in my config, but I'm pretty sure, there is bug in pfSense.

The client, who received the IP address from the DHCP Server is definitely a "guest", which was never in the list of "known clients" and is not allowed to get the IP address.

Gertjan

Strange indeed.

I guess I have a 'basic setup' with 3 interfaces, WAN, LAN and OPT1, my Portal interface with its own DHCP instance.
When I activated "Deny Unknown clients" my logs started to fill up with:

06-21-2014	17:50:02	Local7.Error	192.168.1.1	Jun 21 17:50:06 dhcpd: DHCPDISCOVER from 0c:77:1a:2b:13:35 via sis0: network 192.168.2.0/24: no free leases
06-21-2014	17:49:54	Local7.Error	192.168.1.1	Jun 21 17:49:58 dhcpd: DHCPDISCOVER from 0c:77:1a:2b:13:35 via sis0: network 192.168.2.0/24: no free leases
06-21-2014	17:49:49	Local7.Error	192.168.1.1	Jun 21 17:49:53 dhcpd: DHCPDISCOVER from 0c:77:1a:2b:13:35 via sis0: network 192.168.2.0/24: no free leases
06-21-2014	17:49:47	Local7.Error	192.168.1.1	Jun 21 17:49:51 dhcpd: DHCPDISCOVER from 0c:77:1a:2b:13:35 via sis0: network 192.168.2.0/24: no free leases

And of course, my 'client' device didn't get an IP anymore …...

The only thing I don't have neither use, is VLANs ......