Is it possible to separate a range of ips in the range for a given router?

jucelio_rosa

@steveits said in Is it possible to separate a range of ips in the range for a given router?:

Are you talking about the DHCP server address range/pool? That's set on Services/DHCP Server/LAN. Use additional pools to break up a range.

What I would like to know is if it is possible for everyone who connects to the network through a specific router to stay within a certain ip range

SteveITS

You can limit which devices can access the Internet via firewall rules on LAN.

jimp

If both routers are on the same L2, they cannot both use separate DHCP servers and function properly.

You can only have one DHCP server per L2 network.

Each router must have its own separate VLAN or other L2 isolation (separate switches, for example).

Or you could have a single central DHCP server not on either router which knows about all clients and hands out the right router info to each of them.

But trying to have two routers both with DHCP on the same flat network isn't viable.

Maybe someone could set it up so the server on router A denied all clients for router B and vice versa, but that is a horrible mess to maintain and not all router DHCP servers support locking down clients in that way.

SteveITS

@jimp said in Is it possible to separate a range of ips in the range for a given router?:

You can only have one DHCP server per L2 network

I thought about that being the question also...best case, I think devices will get an IP from either one (randomly)? Windows' DHCP server will "see" the other DHCP server and disable itself.

JKnott

@jimp said in Is it possible to separate a range of ips in the range for a given router?:

You can only have one DHCP server per L2 network.

That's not correct. DHCP is designed to support multiple servers on a LAN. The discovery is broadcast to all servers and the client goes with the first to respond. Of course, the servers should provide the same info re routers, etc. and avoid handing out duplicate addresses, though duplicate address detection works to prevent that.

JKnott

@jucelio_rosa

You can configure a DHCP server to map specific address to MACs and not allow any others. Perhaps the clients can be split into groups using that.

JKnott

@steveits said in Is it possible to separate a range of ips in the range for a given router?:

I think devices will get an IP from either one (randomly)?

As I mentioned in another note, multiple DHCP servers are supported. Your problem is dividing the clients into groups. I believe mapping IP addresses to MAC addresses might do that for you.

johnpoz

If you have 2 different routers - why would you not split your network into 2 different networks.

Or just setup these 2 routers to provide connection to your 1 network, then you could just policy route what you want to use what internet, etc.

multiple dhcp servers on the same L2 handing out specific IP is not the correct solution to anything.

Forget about what hands what what IP.. What is the goal? For some devices to use internet 1, and others to user internet 2? Do you want these devices to be able to talk to each other, or do you want to isolate them?

Do you want say device that was using internet 1, to be able to use internet 2 - if say internet 1 was down?

jimp

@jknott said in Is it possible to separate a range of ips in the range for a given router?:

@jimp said in Is it possible to separate a range of ips in the range for a given router?:

You can only have one DHCP server per L2 network.

That's not correct. DHCP is designed to support multiple servers on a LAN. The discovery is broadcast to all servers and the client goes with the first to respond. Of course, the servers should provide the same info re routers, etc. and avoid handing out duplicate addresses, though duplicate address detection works to prevent that.

Next time read my whole reply instead of cherry picking just the one thing out of context.

Sure, with enough special hoop-jumping you can, but the way most routers implement DHCP servers, you can't practically do it.

JKnott

@jimp said in Is it possible to separate a range of ips in the range for a given router?:

Sure, with enough special hoop-jumping you can, but the way most routers implement DHCP servers, you can't practically do it.

It's not hoop jumping. It's the way DHCP was designed to work. Just configure the routers properly and if you don't want to rely on duplicate address detection, then just use separate pools. This, combined with static mappings, may be what OP needs.

johnpoz

This seems to be a typical xy problem... We shouldn't even be discussing multiple dhcp servers..

While there are ways to run multiple dhcp servers on the same L2 for redundancy and the like.. I doubt we should be going down that specific rabbit hole.. Without some understanding of what the actual goal really is..

I can see all different ways to skin the cat here with 2 routers, and wanting some clients to use router 1 and some to use router 2. I sure wouldn't be trying to solve that via 2 different dhcp servers on the same L2 by limiting what clients each dhcp server hand info too.

Why not just create 2 different networks - now you don't have to worry about any sort of way to tell the dhcp servers who or what to hand info to.

@jucelio_rosa what is the ultimate goal here? What is this other router, if some shit soho box its dhcpd is prob very limited in what it could in limiting which clients it provides dhcpd, etc.

Do these clients need to be able to talk to each other, or share access to some other resource? Do you want to leverage the 2 internet connections with both clients? What is the other infrastructure (switch(es).. How many clients? 10, 100, 1000?

jucelio_rosa

@jknott Good Morning.
I would just like to know if there is any feature in pfSense that allows you to separate part of the ip range for clients that connect to the network from a specific router.
There are few clients that access the network through this router. From 10 to 20. They need access to the network and all its resources (internet, servers...). I would like to separate part of the ips range for these clients. Other clients could not access these ips.

jucelio_rosa

@jknott People access this router using computers, corporate cell phones, and personal cell phones. If they only used corporate computers and corporate cell phones, I would use the mac address to allocate an ip for each device.

jimp

No router can enforce the address used by clients in that way 100% -- that's up to L2 (the switches/APs). You can sort of fudge it with static ARP entries but MACs can be spoofed or change (wireless privacy MACs for example). Static ARP on a router also doesn't stop someone from using IP addresses at L2 locally, only when attempting to communicate through the router.

The DHCP server(s) you're using would have to know which MACs belong to those specific addresses so they can be assigned to the correct ones, and so they can get the correct router and DNS information via DHCP.

Once the addresses are assigned to the clients, then you can setup firewall rules to only allow traffic through pfSense from the source addresses you want.

You're still better off isolating the other router and clients in their own L2 VLAN+SSID and bypassing all these problems.

johnpoz

@jucelio_rosa said in Is it possible to separate a range of ips in the range for a given router?:

that connect to the network from a specific router.

So is this router some wifi router doing nat? Users don't normally "connect" to a network via a router.. Unless your talking some wifi soho thing, or your talking about clients from some other network accessing yours via a route through a router..

Yes pfsense has the ability to create different pools, and use specific mac to assign from those pools. And the ability to create a reservation to give any specific mac address a IP outside the pools but still inside your network, etc... All of which is pretty pointless if you have all kinds of different devices connecting to the network you have no control over and no idea what their macs are.

What it seems like to me is you have some "solution" in mind which is prob not the easy way to accomplish your actual goal..

As jimp has stated - isolating devices into their own network(s) is the best solution..

jucelio_rosa

@jimp Thank you so much for replying. I will check with my manager what he wants to do about this matter.

johnpoz

Some drawing of how you have this network setup would be helpful. What sounds like to me is you have some wifi router providing internet.

And now you want to bring in some other internet connection via pfsense. And tie it to this network somehow.. A drawing and some details of your actual network would help you skin the cat to accomplish your goals..

One way would be to use this other "router" you have as just an AP, and then provide both internet connections from pfsense, etc.

But we really need to understand what your working with for equipment, and what your actually wanting to do.. Before we start talking about dhcpd and how to assign specific devices IP and info on what "gateway" to use to get to the internet.

JKnott

@jucelio_rosa

Not that I'm aware of.

jimp

Something else to consider if your switches and APs support it might be 802.11x / WAP2 Enterprise using RADIUS.

You could have the clients authenticate before they get an address at all, and the RADIUS server would tell the switches/APs/etc where to put the clients on the network (e.g. a specific SSID, VLAN, or address assignment). That separates the user identification from other parts of the process which are more prone to error.

That may be its own special kind of management headache and end user headache, however. It's much more viable for wireless than wired clients.

At least that way you would know for certain that the clients you want to use a specific network are the correct clients without having to guess by MAC address.