Assigning DHCP leases based on Wireless or Wired connection.

FroToast

Hi there,

I'm running pfsense on a small power sipping box with a Unifi UAP AC access point. Is there any way to assign leases to clients from separate DHCP pools based on the connection(Wired or Wireless)? I have thought of using one VLAN for wireless and one for wired but, I have some home services like syncthing that will not communicate with clients unless server and client are on the same subnet.

I realize that I can view wireless clients on the Unifi controller software but - just a shot in the dark, - If there is an easier solution rather than cross referencing, I would appreciate any feedback or support.

Thank you,

occamsrazor

I guess it is not really an answer to your question, and I don't know how many devices you are using so not sure if feasible... but I just set 2 x static DHCP addresses for each devices based on their different wired/wifi mac addresses. Though I use the same pool. So for example my Macbook gets 192.168.0.6 for wired, and 192.168.0.16 for wifi. I suspect that's not quite what you are looking for but figured I'd mention.

JKnott

@FroToast

If you want everything in the same subnet, no, but you could assign addresses to specific MACs. My question is why do you want to do this? What does it get you?

johnpoz

@FroToast said in Assigning DHCP leases based on Wireless or Wired connection.:

assign leases to clients from separate DHCP pools based on the connection(Wired or Wireless)?

You can do such a thing if you know what mac address you want to pull from which pool, if say all your devices are the same vendor and their mac addresses all start with 50:c7:bf (tplink)

Might be problematic if wired interface and wireless is same vendor, and the mac have the same 3 numbers.

Or as already mentioned you could just create reservations for each specific device.

Why do you think these devices need to be on the same L2? Your syncthing example clearly states on their home page that it can work over the internet.. So that sure and the F is not the same L2 ;)

Simple. Syncthing doesn't need IP addresses or advanced configuration: it just works, over LAN and over the Internet.

So simple solution is to break out your wifi to its own vlan, or even multiple vlans based upon multiple criteria.. I have all my roku devices in their own vlan for example - so I can easily control what they can and can not do either to my other vlans or to the internet.. I have other iot devices in a different vlan - for example my alexa (dots and show) stuff all in different vlan than my roku's

I also assign them specific IPs, so I know what IP is what.. And then could even do finer control/monitoring based on those IPs

You can also with the use of vlans make sure that a device be it wired or wireless is always in the same vlan this way. Just put the port your going to plug them in on your switch in the same vlan as some specific wireless SSID.. Or you could really get fancy with it and do dynamic assigned vlans. But I would table such a setup until such time as your skill set is advanced to that level ;) Wireless is pretty easy to do with the unifi stuff and freerad package on pfsense.. But if you wanted to do it on your switch(es) they would need to be a bit more advanced then your typical $40 smart switch that does vlans.

FroToast

Thank you for your responses!

@JKnott
I am not running any large network, but I have about 40 devices on average on my network. Looking at the large DHCP lease list for my home network makes my head spin. Managing each group separately would allow me to easily see catch any unauthorized users and give me a little more peace of mind. not that that my network is weakly secured or anything

@occamsrazor
I could assign a static dhcp lease for any wired device I recognize in my network. But my concern is if it changes mac address for some reason, I could lose track of it.

@johnpoz
The thing with syncthing is that, unless I port forward it, all the client connections will be "relayed" because (from my guess) it will think the server is on the internet due to it being on a separate subnet.

Even though question was mostly a shot in the dark, I appreciate your detailed and helpful response

I have syncthing running on a Proxmox hypervisor so I could try giving syncthing two separate virtual NICs, each on its own subnet - one assigned to wifi clients, one assigned to wired clients.

Thanks!

johnpoz

I don't use syncthing - but I find it unlikely that it would relay sync just because 1 of the devices are on a different subnet.

JKnott

@FroToast said in Assigning DHCP leases based on Wireless or Wired connection.:

But my concern is if it changes mac address for some reason, I could lose track of it.

Why would the MAC change, unless you changed it? Even if that happened, the device would get an address from the DHCP pool and the assigned address are not in that pool, so it would be obvious.

johnpoz

Devices don't just go willy nilly changing their mac addresses ;)

Even when its a VM, the mac doesn't change for the vnic you created without you going in and actually changing it..