Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCPd with multiple ipv4 subnets outside of local interface network. (300US$)

    Scheduled Pinned Locked Moved Bounties
    120 Posts 29 Posters 91.2k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      MnM
      last edited by

      I am still trying to get this to work as I need it…not much luck :(

      Below, I will describe my setup, how it works now and perhaps anyone has an idea to make my setup work with this DHCPd addon?

      Pfsesnse 2.1.4

      Two physical internal NICs - LAN = 192.168.0.0 and Guests 172.20.0.0
      Both LAN and Guests plugged into the same switch.

      LAN
      Enable DHCP server on LAN interfaceto
      Deny unknown clients
      All other normal settings plus
      Enable Static ARP Entries
      Then I have a few DCHP Static Mappings for the interface

      Guests
      Enable DHCP server on GUEST interface
      All other normal settings plus

      Now, as the setup above by itself didnt give me what I needed, I modified dhcpd.conf manually with the required settings and then modified /etc/inc/services.inc to write the pfsense dhcpd config to dhcpd.conf.auto (so it doesnt overwrite my config when it reboots) as per below:

      /* write dhcpd.conf */
              if (!@file_put_contents("{$g['dhcpd_chroot_path']}/etc/dhcpd.conf.auto", $dhcpdconf)) {
                      printf(gettext("Error: cannot open dhcpd.conf in services_dhcpdv4_configure().%s"), "\n");
                      unset($dhcpdconf);
                      return 1;

      My dhcpd.conf looks like:

      max-lease-time 43200;
      default-lease-time 86400;
      ddns-update-style interim;

      log-facility local4;

      DPI Network

      shared-network DPI {
              # Guests
              subnet 172.20.0.0 netmask 255.255.255.0 {
                      authoritative;
                      allow unknown-clients;
                      # don't let clients update A records for ddns;
                      ignore client-updates;
                      range 172.20.0.10 172.20.0.30;
                      max-lease-time 86400;
                      default-lease-time 43200;
                      option subnet-mask 255.255.255.0;
                      option broadcast-address 172.20.0.255;
                      option domain-name "guest.domain.tld";
                      option domain-name-servers 172.20.0.254;
                      option routers 172.20.0.254;
                      option ntp-servers 172.20.0.254;
                      allow unknown-clients;
                      }
              # DPI
              subnet 192.168.0.0 netmask 255.255.255.0 {
                      authoritative;
                      deny unknown-clients;

      range 192.168.0.1 192.168.0.9;
                      max-lease-time 864000;
                      default-lease-time 432000;
                      option subnet-mask 255.255.255.0;
                      option broadcast-address 192.168.0.255;
                      option domain-name "dpi.com";
                      option domain-name-servers 192.168.0.254;
                      option routers 192.168.0.254;
                      option ntp-servers 192.168.0.254;
                      host NAS {
                              hardware ethernet 00:02:b3:0c:28:54;
                              fixed-address 192.168.0.5;
                              }
                      deny unknown-clients;

      range 192.168.0.10 192.168.0.15;
                      max-lease-time 86400;
                      default-lease-time 43200;
                      option subnet-mask 255.255.255.0;
                      option broadcast-address 192.168.0.255;
                      option domain-name "dpi.com";
                      option domain-name-servers 192.168.0.254;
                      option routers 192.168.0.254;
                      option ntp-servers 192.168.0.254;
                      host ps3 {
                              hardware ethernet a8:e3:ee:7b:ec:b0;
                              fixed-address 192.168.0.10;
                              }
                      deny unknown-clients;

      range 192.168.0.20 192.168.0.25;
                      option subnet-mask 255.255.255.0;
                      option broadcast-address 192.168.0.255;
                      option domain-name "dpi.com";
                      option domain-name-servers 192.168.0.254;
                      option routers 192.168.0.254;
                      option ntp-servers 192.168.0.254;
                      host oppo93 {
                              hardware ethernet 00:22:de:89:5c:76;
                              fixed-address 192.168.0.20;
                              }
                      host dunemax {
                              hardware ethernet 00:16:e8:69:81:e3;
                              fixed-address 192.168.0.21;
                              }
                      host wdhub1 {
                              hardware ethernet 00:90:a9:a9:13:55;
                              fixed-address 192.168.0.22;
                              }
                      host wdhub2 {
                              hardware ethernet 00:90:a9:a8:68:b5;
                              fixed-address 192.168.0.23;
                              }
                      host jvc {
                              hardware ethernet 00:80:88:11:D7:D6;
                              fixed-address 192.168.0.24;
                              }
                      host yamaha {
                              hardware ethernet 00:a0:de:4c:a6:89;
                              fixed-address 192.168.0.25;
                              }
                      host lg {
                              hardware ethernet 3c💿93:11:95:8b;
                              fixed-address 192.168.0.26;
                              }
                      deny unknown-clients;

      The above works exactly as I wanted:

      A known (defined) device will get an IP form the 192.168.0.0 range.
      If an unknown device tries to get and IP address, since its MAC is not defined anywhere it will receive an IP from the 172.20.0.0 network.

      This way any guests coming to visit can get a wireless or a wired connection form any Access Point or network point in the house (that's why I am not using VLANs) on the different network than my main network.
      Because I have enabled static ARP entries on the LAN interface, guests will not be able to use the LAN interface even if manually entering a 192.168.0.0 (LAN) network address - they will only be able to use the GUESTS NIC and network only.

      Now the issue is this - every-time there is an update, I have to manually reconfigure  /etc/inc/services.inc then copy my config back to dhcpd.conf
      When I get new devices in the house I have manually add them to the dhcpd.conf
      Since i am re-directing the output to dchpd.cong.auto the DHCPD logs are not a real representation of what is happening

      So I though that with the new code from marcelloc I can get it to work like I have it now and have the added bonus of a GUI to change stuff. But I could not get it to work at all like above :(

      pehaps I was wrong the new code form marcelloc doesn't support my configuration? (when i implemented it, it removed ll my custom config as it overwrites the file that I was modifying so basically it was like a normal config).

      If anyone has any ideas what to try in the new config form marcelloc to achieve my existing config I am all ears :)

      Thanks

      1 Reply Last reply Reply Quote 0
      • marcellocM Offline
        marcelloc
        last edited by

        @MnM:

        Two physical internal NICs - LAN = 192.168.0.0 and Guests 172.20.0.0
        Both LAN and Guests plugged into the same switch.

        It's not a best practice. The best way is to have a segment for guest and another for lan.

        @MnM:

        Guests
        Enable DHCP server on LAN interface
        All other normal settings plus

        Guest network on Lan interface?

        There are many access points with ap isolation feature and multiple ssids. You can create a guest wifi with if enabled with only one network mask on your network.

        The code implements multiple subnets for dhcp but these networks dhcp request on normal situations, came from dhcp relays but not on the same network segment.

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • M Offline
          MnM
          last edited by

          @marcelloc:

          Guest network on Lan interface?

          Sorry type meant Guest interface.

          Thanks for replying. I have a guest wifi on my access point (isolated) - however if I don't run the above configuration I can offer the same for people that come visiting and they plug in their devices into an RJ45 wall socket.

          With the setup as it is above I can look after wifi and RJ45 wall socket guests (most of them are actually RJ45 wall sockets as they are teenagers visiting my teenage sons and play games - hence why not so much wifi). The RJ45 wall sockets I have normally have switches in them so my sosn pc, ps3, sound, tv etc are also plugged in to the same network - thats why no vlans cant vlan all the other devices plugging to the same RJ45 wall socket).

          Ohh well looks like I will have to stick with manually editing files for now. I was really hoping to have a GUI and make things easier. Not to worry.

          Thanks.

          1 Reply Last reply Reply Quote 0
          • H Offline
            haddock
            last edited by

            I am interested in testing this.

            Would a paypal transfer of 30$ be enough?

            1 Reply Last reply Reply Quote 0
            • marcellocM Offline
              marcelloc
              last edited by

              @haddock:

              I am interested in testing this.

              Would a paypal transfer of 30$ be enough?

              sure.

              Thanks for your interest on donating on this bounty.

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • H Offline
                haddock
                last edited by

                Just a question before donating.

                Does static dhcp works also for the additional subnets?
                So I can manually configure ip / mac for clients in all subnets?

                1 Reply Last reply Reply Quote 0
                • marcellocM Offline
                  marcelloc
                  last edited by

                  @haddock:

                  Does static dhcp works also for the additional subnets?
                  So I can manually configure ip / mac for clients in all subnets?

                  Yes.

                  Multiple dhcp ranges on the same network segment is not a best practice.

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • H Offline
                    haddock
                    last edited by

                    Donation of 30$ has been made.

                    Will test it out on 2.1.5. once I get the code  :)

                    1 Reply Last reply Reply Quote 0
                    • H Offline
                      haddock
                      last edited by

                      It is working well with 2.1.5.

                      1 Reply Last reply Reply Quote 0
                      • S Offline
                        shade
                        last edited by

                        Well, as the top donator (since another person did not pay) I am not quite happy.

                        • The patch breaks if I update my pfSense to newer versions than 2.1.0 (mabee it if because I am on an early sep 2013 patch version).

                        • What happend to inclusion in "main" pfSense, the patch is still not present in 2.1.5 or 2.2.x series ? That was a requirement.

                        • Marcelloc: I reported a bug in the patch back in Feb, and not even a answer from you, therefore is in public: The "Enable network booting" options next-server and filename are not working for sub-pools, only the "head" interface have these setting written to config.

                        1 Reply Last reply Reply Quote 0
                        • H Offline
                          haddock
                          last edited by

                          Testing this further, I have found an implemented feature that is not working correctly and had me spooked for a while until I figured it out.

                          From testing it affects DNS server / Domain name / Domain search list, including hosts with static dhcp leases, but could be more settings affected. I think it's the global definitions in dhcpd.conf that is the culprit.

                          option domain-name-servers
                          option domain-name
                          option domain-search

                          It's pretty confusing to explain the issues but here goes, I think it will be easier if I make an example.

                          Let's say that the pfsense hostname under System –> General setup is:

                          hostname: pfsense
                          domain: mycorp.office

                          This will then generate a global definition on the top row in /var/dhcpd/etc/dhcpd.conf as:

                          option domain-name "mycorp.office";

                          So far so good.

                          Now let's say we want to user different domain-name / search domain / dns for our other subnets.

                          We start with configuring the subnet that is locally connected to pfsense (default subnet for the LAN interface), not adding any additional pool yet.

                          Services --> DHCP Server --> LAN

                          We leave this at default settings.

                          That would look something like this in dhcpd.conf

                          subnet 192.168.1.0 netmask 255.255.255.0 {
                                  pool {
                                          range 192.168.1.50 192.168.1.250;
                                  }

                          option routers 192.168.1.1;
                          option domain-name-servers 192.168.1.1;

                          Ok, no problem with this.

                          Then we define another subnet 192.168.2.0/24

                          In this subnet we will not be using pfsense as DNS resolver, so we change some settings, dns server, domain name, domain search list.

                          Then the following config gets generated in dhcpd.conf, as you can see option domain-name-servers get defined twice, I dont know if that is really an issue, but at least its not best practice ;)

                          subnet 192.168.2.0 netmask 255.255.255.0 {
                                  pool {
                                          option domain-name-servers 10.45.0.10,10.45.0.11;
                                          option routers 192.168.2.1;
                                          option domain-name "mycorp.south";
                                          option domain-search "mycorp.south";
                                          option domain-name-servers 10.45.0.10,10.45.0.11;
                                          option netbios-name-servers 10.45.0.10,10.45.0.11;
                                          option netbios-node-type 8;
                                          range 192.168.50 192.168.2.250;
                                  }

                          Now, let's say we want to add a client with static dhcp from 192.168.2.0 subnet, and we dont add anything extra to that static config.

                          host s_lan_0 {
                                  hardware ethernet 11:22:33:44:55;
                                  fixed-address 192.168.2.5;
                                  option host-name "testing";

                          Now problems arise, this client will now get all the "global config" defined from the 192.168.1.0 subnet, it will not get dns, gateway etc. defined in the 2.0 subnet.

                          Also, which is what I think is the major issue here, is that the dhcpd.conf static host stanza is entered under the 192.168.1.0 subnet. Like this:

                          subnet 192.168.1.0 netmask 255.255.255.0 {
                                  pool {
                                          range 192.168.1.50 192.168.1.250;
                                  }

                          option routers 192.168.1.1;
                          option domain-name-servers 192.168.1.1;
                          }
                          host s_lan_0 {
                                  hardware ethernet 11:22:33:44:55;
                                  fixed-address 192.168.2.5;
                                  option host-name "testing";

                          I think proper config would be to place static clients after the subnet statement's. so 192.168.2.0 static hosts will have to be defined after the:
                          subnet 192.168.2.0 netmask 255.255.255.0 {
                                  pool {  …
                          }

                          I'm sure this will sound confusing, it was even somewhat confusing writing it down, but I hope you get the picture of the problem.

                          Let me know if you want something explained further.

                          Seeing shade's post above I think my issue is the same as his:

                          "- Marcelloc: I reported a bug in the patch back in Feb, and not even a answer from you, therefore is in public: The "Enable network booting" options next-server and filename are not working for sub-pools, only the "head" interface have these setting written to config."

                          1 Reply Last reply Reply Quote 0
                          • marcellocM Offline
                            marcelloc
                            last edited by

                            @shade:

                            • Marcelloc: I reported a bug in the patch back in Feb, and not even a answer from you, therefore is in public: The "Enable network booting" options next-server and filename are not working for sub-pools, only the "head" interface have these setting written to config.

                            As I told you, I've pushed two times the patch to 2.1 branch but it was not merged.

                            I will try again to 2.2 but 2.1 accepts only patches.

                            The sub-pools next-server is taking more time that I expected to change.

                            The be honest, the parcial bounty was the main reason to it not get finished until today but I'm still working on it. Sorry for the looong delay to finish it.

                            Treinamentos de Elite: http://sys-squad.com

                            Help a community developer! ;D

                            1 Reply Last reply Reply Quote 0
                            • marcellocM Offline
                              marcelloc
                              last edited by

                              @haddock:

                              Testing this further, I have found an implemented feature that is not working correctly and had me spooked for a while until I figured it out.

                              I'll test it too. Thanks for the feedback.

                              The main issue to get all this working together is the zones main loop on php code.

                              Treinamentos de Elite: http://sys-squad.com

                              Help a community developer! ;D

                              1 Reply Last reply Reply Quote 0
                              • H Offline
                                haddock
                                last edited by

                                @bennyc:

                                Hi Marcelloc,

                                I know it's already been a while, but I think I encountered  a couple of things we missed.
                                Sub-pools work fine… but when adding a static mapping for a client in a sub-pool, it does not hand out WINS/DNS: not the default, not the ones I put there. (not so good  ::) )
                                It also doesn't complain if I use an ip within the pool range? (can live with that)
                                When removing the static mapping (but leaving it in the sub-pool), the dhcp deamon hands out both fine.

                                So the issue is on the static mapping creation. (writing to the dhcpd.conf to be more precise, at least I think it is)

                                When looking to the dhcpd.conf, it gets written correctly except for the option "domain-name-server", that part is missing even if I update it in the static mapping (it does not add it to the part "host s_lan_0":

                                (partial code)

                                
                                host s_lan_0 {
                                	hardware ethernet 00:50:56:ad:6f:c1;
                                	fixed-address 192.168.9.11;
                                	option host-name "REMOTE-7";
                                	option routers 192.168.9.254;
                                }
                                subnet 192.168.9.0 netmask 255.255.255.0 {
                                	pool {
                                		option domain-name-servers 192.168.1.254;
                                		option routers 192.168.9.254;
                                		range 192.168.9.1 192.168.9.10;
                                	}
                                
                                

                                Went through the code from services_dhcp.php (quickly) as I suspect the issue is there (might be wrong), but it seems my coding knowledge is still too limited, can't point it out yet  :-[

                                Can you still check this please?

                                tnx & br, Benny.
                                [/quote]

                                This also seems related to the problems I am experiencing, especially this one:

                                "but when adding a static mapping for a client in a sub-pool, it does not hand out WINS/DNS: not the default, not the ones I put there. (not so good  ::) )"

                                Marcello, how much time would you say it would take for you to solve the issues?

                                1 Reply Last reply Reply Quote 0
                                • S Offline
                                  shade
                                  last edited by

                                  @marcelloc:

                                  The sub-pools next-server is taking more time that I expected to change.

                                  A simple reply to my PM would have been nice ;)

                                  @marcelloc:

                                  The be honest, the parcial bounty was the main reason to it not get finished until today but I'm still working on it. Sorry for the looong delay to finish it.

                                  I understand.. I was/am very disappointed by the bounty starter just taking the code and running, and screwing us all over like that. But I paided my part of $500 and would like to have the bug fixed, and it would also be nice to be able to update and still could apply the patch.

                                  1 Reply Last reply Reply Quote 0
                                  • S Offline
                                    shade
                                    last edited by

                                    marcelloc: Don't know if it helps, but I made a little "hack" to get the net boot wokring.. it is ugly but it does the trick.

                                    The change is made in services.inc, like this:

                                    @@ -673,13 +673,13 @@

                                    // net boot information
                                                            if(isset($poolconf['netboot'])) {
                                    -                              if (!empty($poolconf['nextserver']) && ($poolconf['nextserver'] != $dhcpifconf['nextserver'])) {
                                    +                              if (!empty($poolconf['nextserver'])) {
                                                                            $pool_dhcpconf .= "            next-server {$poolconf['nextserver']};\n";
                                                                    }
                                    -                              if (!empty($poolconf['filename']) && ($poolconf['filename'] != $dhcpifconf['filename'])) {
                                    +                              if (!empty($poolconf['filename'])) {
                                                                            $pool_dhcpconf .= "            filename "{$poolconf['filename']}";\n";
                                                                    }
                                    -                              if (!empty($poolconf['rootpath']) && ($poolconf['rootpath'] != $dhcpifconf['rootpath'])) {
                                    +                              if (!empty($poolconf['rootpath'])) {
                                                                            $pool_dhcpconf .= "            option root-path "{$poolconf['rootpath']}";\n";
                                                                    }
                                                            }

                                    1 Reply Last reply Reply Quote 0
                                    • H Offline
                                      haddock
                                      last edited by

                                      Just wondering if the dhcp conf issues are actually being worked on?

                                      Why are people complaining on the OP not paying up when the bounty isn't completed?

                                      1 Reply Last reply Reply Quote 0
                                      • H Offline
                                        haddock
                                        last edited by

                                        @marcelloc:

                                        @haddock:

                                        Testing this further, I have found an implemented feature that is not working correctly and had me spooked for a while until I figured it out.

                                        I'll test it too. Thanks for the feedback.

                                        The main issue to get all this working together is the zones main loop on php code.

                                        Did you manage to test it further?

                                        Also if you could hint if you are going to put more work into this or not would be appreciated.

                                        1 Reply Last reply Reply Quote 0
                                        • B Offline
                                          bennyc
                                          last edited by

                                          @haddock:

                                          Why are people complaining on the OP not paying up when the bounty isn't completed?

                                          It was to my understanding there is some rule on it. And the rule was there way before the bounty was started. See

                                          Bounty board rules and guidelines - READ FIRST BEFORE STARTING A BOUNTY
                                          https://forum.pfsense.org/index.php?topic=6948.0
                                          Last edited, new policy of requiring money up front.  Sorry but we have been burned too many times now.

                                          @Marcello, could you update the bounty if and when you will continue work on it? Most important to me now is merge in 2.2, even with it's limitations. (I just installed the 2.2RC, and seems not to be in it)
                                          If it turns out as a not future proven or supported solution, I would like to know so I can look at alternatives… (It would be a real pitty because it has worked with 0 issues, but I just want to plan ahead...)

                                          4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
                                          1x PC Engines APU2C4, 1x PC Engines APU1C4

                                          1 Reply Last reply Reply Quote 0
                                          • B Offline
                                            bennyc
                                            last edited by

                                            for those following the bounty, got word from Marcelloc who tried another merge.
                                            Seems not accepted yet though…  ???

                                            4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
                                            1x PC Engines APU2C4, 1x PC Engines APU1C4

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.