Ignore denied clients and deny MAC crash dhcpd
-
I'm having trouble with using a MAC deny and "Ignore denied clients". When using these two options in combination, dhcpd fails with errors. This is using pretty much the vanilla configuration, I ran through the setup wizard changing minimal options. Unfortunately I'm not very familiar with dhcpd and these kinds of advanced options and cannot find anything through googling this specific problem with pfSense. Any thoughts? The ONLY thing I did to the dhcpd settings is enable the MAC deny and marked "Ignore denied clients".
Thank you very much for your time in advance!
This is running on an SG-2440 with the latest version of pfSense:
2.3.2-RELEASE-p1 (amd64)
built on Fri Sep 30 14:36:56 CDT 2016
FreeBSD 10.3-RELEASE-p9Here is /var/dhcpd/etc/dhcpd.conf:
1
2 option domain-name "local";
3 option ldap-server code 95 = text;
4 option domain-search-list code 119 = text;
5 option arch code 93 = unsigned integer 16; # RFC4578
6
7 default-lease-time 7200;
8 max-lease-time 86400;
9 log-facility local7;
10 one-lease-per-client true;
11 deny duplicates;
12 ping-check true;
13 update-conflict-detection false;
14 dhcp-cache-threshold 0;
15 authoritative;
16 class "000EE3" {
17 match if substring (hardware, 1, 3) = 00:0E:E3;
18 }
19 subnet 10.2.0.0 netmask 255.255.0.0 {
20 pool {
21 ignore members of "000EE3";
22
23 range 10.2.10.10 10.2.255.245;
24 }
25
26 option routers 10.2.10.1;
27 option domain-name-servers 10.2.10.1;
28
29 }Here is dhcpd.log:
Jan 9 16:27:52 pfSense dhcpd: Internet Systems Consortium DHCP Server 4.3.4
Jan 9 16:27:52 pfSense dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Jan 9 16:27:52 pfSense dhcpd: All rights reserved.
Jan 9 16:27:52 pfSense dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Jan 9 16:27:52 pfSense dhcpd: Config file: /etc/dhcpd.conf
Jan 9 16:27:52 pfSense dhcpd: Database file: /var/db/dhcpd.leases
Jan 9 16:27:52 pfSense dhcpd: PID file: /var/run/dhcpd.pid
Jan 9 16:27:52 pfSense dhcpd: Internet Systems Consortium DHCP Server 4.3.4
Jan 9 16:27:52 pfSense dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Jan 9 16:27:52 pfSense dhcpd: All rights reserved.
Jan 9 16:27:52 pfSense dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Jan 9 16:27:52 pfSense dhcpd: Wrote 1 leases to leases file.
Jan 9 16:27:52 pfSense dhcpd: Listening on BPF/igb1/00:08:a2:0a:f5:5b/10.2.0.0/16
Jan 9 16:27:52 pfSense dhcpd: Sending on BPF/igb1/00:08:a2:0a:f5:5b/10.2.0.0/16
Jan 9 16:27:52 pfSense dhcpd: Sending on Socket/fallback/fallback-net
Jan 9 16:27:52 pfSense dhcpd: Server starting service.
Jan 9 16:28:05 pfSense dhcpd: Internet Systems Consortium DHCP Server 4.3.4
Jan 9 16:28:05 pfSense dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Jan 9 16:28:05 pfSense dhcpd: All rights reserved.
Jan 9 16:28:05 pfSense dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Jan 9 16:28:05 pfSense dhcpd: /etc/dhcpd.conf line 21: expecting allow/deny key
Jan 9 16:28:05 pfSense dhcpd: ignore members
Jan 9 16:28:05 pfSense dhcpd: ^
Jan 9 16:28:05 pfSense dhcpd: /etc/dhcpd.conf line 21: expecting a parameter or declaration
Jan 9 16:28:05 pfSense dhcpd: ignore members of "000EE3";
Jan 9 16:28:05 pfSense dhcpd: ^
Jan 9 16:28:05 pfSense dhcpd: /etc/dhcpd.conf line 24: Pool declaration with no address range.
Jan 9 16:28:05 pfSense dhcpd: }
Jan 9 16:28:05 pfSense dhcpd: ^
Jan 9 16:28:05 pfSense dhcpd: Pool declarations must always contain at least
Jan 9 16:28:05 pfSense dhcpd: one range statement.
Jan 9 16:28:05 pfSense dhcpd: Configuration file errors encountered – exiting
Jan 9 16:28:05 pfSense dhcpd:
Jan 9 16:28:05 pfSense dhcpd: If you think you have received this message due to a bug rather
Jan 9 16:28:05 pfSense dhcpd: than a configuration issue please read the section on submitting
Jan 9 16:28:05 pfSense dhcpd: bugs on either our web page at www.isc.org or in the README file
Jan 9 16:28:05 pfSense dhcpd: before submitting a bug. These pages explain the proper
Jan 9 16:28:05 pfSense dhcpd: process and the information we find helpful for debugging..
Jan 9 16:28:05 pfSense dhcpd:
Jan 9 16:28:05 pfSense dhcpd: exiting.edit: added numbering to dhcpd.conf
-
I'm also having the same problem. Added an extra pool with TFTP options for my phones. Set up the main pool to ignore my phones' MAC. Getting the same errors in the log and dhcpd won't start.
-
Got mine fixed. Can't use the ignore option. had to leave it on deny.
I assumed I would need ignore rather than deny so one of my other defined pools would then respond. That is not actually the case. My main pool is now set to deny the MACs I wanted to go to the other pool, and the other pool is set to allow those MACs. This created the behavior I was actually after.
I wonder when the ignore option is actually needed or desired.
-
I'm also having the same problem. Added an extra pool with TFTP options for my phones. Set up the main pool to ignore my phones' MAC. Getting the same errors in the log and dhcpd won't start.
Same problem here, a customer has it's Avaya PBX with it own DHCP on the same LAN as the computer. Phone won't work with DHCP reject and the "ignore" option crashes the pfSense DHCP.
I'm trying to convince them to put the VoIP on a separate VLAN and use LLDP-MED but, nonetheless I'd like to see this bug fixed.
-
Necroposting detected :D
I'm not sure, but it seems like I was fix it
In /etc/inc/services.inc change string$dhcpdconf .= " $deny_action members of \"" . str_replace(':', '', $mac) . "\";\n";
to
$dhcpdconf .= " deny members of \"" . str_replace(':', '', $mac) . "\";\n";
carefully, make a backup before patch
yours faithfully? good luck!
-
@daszip Hi!
FYI, this bug is still present on 21.02.2-RELEASE. -
still present on: pfsense 2.5.2-RELEASE (amd64), modification works great
-
I just battled through this on 21.05.1-RELEASE (arm)
-
@sdm900 I can confirm that this bug still exists with version 2.6.0-RELEASE (amd64). The supplied fix appears to allow DHCP to continue running after entering in denied clients with the "ignore" option selected.