Is it possible to separate a range of ips in the range for a given router?
-
@jknott said in Is it possible to separate a range of ips in the range for a given router?:
@jimp said in Is it possible to separate a range of ips in the range for a given router?:
You can only have one DHCP server per L2 network.
That's not correct. DHCP is designed to support multiple servers on a LAN. The discovery is broadcast to all servers and the client goes with the first to respond. Of course, the servers should provide the same info re routers, etc. and avoid handing out duplicate addresses, though duplicate address detection works to prevent that.
Next time read my whole reply instead of cherry picking just the one thing out of context.
Sure, with enough special hoop-jumping you can, but the way most routers implement DHCP servers, you can't practically do it.
Remember: Upvote with the ๐ button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
@jimp said in Is it possible to separate a range of ips in the range for a given router?:
Sure, with enough special hoop-jumping you can, but the way most routers implement DHCP servers, you can't practically do it.
It's not hoop jumping. It's the way DHCP was designed to work. Just configure the routers properly and if you don't want to rely on duplicate address detection, then just use separate pools. This, combined with static mappings, may be what OP needs.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
This seems to be a typical xy problem... We shouldn't even be discussing multiple dhcp servers..
While there are ways to run multiple dhcp servers on the same L2 for redundancy and the like.. I doubt we should be going down that specific rabbit hole.. Without some understanding of what the actual goal really is..
I can see all different ways to skin the cat here with 2 routers, and wanting some clients to use router 1 and some to use router 2. I sure wouldn't be trying to solve that via 2 different dhcp servers on the same L2 by limiting what clients each dhcp server hand info too.
Why not just create 2 different networks - now you don't have to worry about any sort of way to tell the dhcp servers who or what to hand info to.
@jucelio_rosa what is the ultimate goal here? What is this other router, if some shit soho box its dhcpd is prob very limited in what it could in limiting which clients it provides dhcpd, etc.
Do these clients need to be able to talk to each other, or share access to some other resource? Do you want to leverage the 2 internet connections with both clients? What is the other infrastructure (switch(es).. How many clients? 10, 100, 1000?
-
@jknott Good Morning.
I would just like to know if there is any feature in pfSense that allows you to separate part of the ip range for clients that connect to the network from a specific router.
There are few clients that access the network through this router. From 10 to 20. They need access to the network and all its resources (internet, servers...). I would like to separate part of the ips range for these clients. Other clients could not access these ips. -
@jknott People access this router using computers, corporate cell phones, and personal cell phones. If they only used corporate computers and corporate cell phones, I would use the mac address to allocate an ip for each device.
-
No router can enforce the address used by clients in that way 100% -- that's up to L2 (the switches/APs). You can sort of fudge it with static ARP entries but MACs can be spoofed or change (wireless privacy MACs for example). Static ARP on a router also doesn't stop someone from using IP addresses at L2 locally, only when attempting to communicate through the router.
The DHCP server(s) you're using would have to know which MACs belong to those specific addresses so they can be assigned to the correct ones, and so they can get the correct router and DNS information via DHCP.
Once the addresses are assigned to the clients, then you can setup firewall rules to only allow traffic through pfSense from the source addresses you want.
You're still better off isolating the other router and clients in their own L2 VLAN+SSID and bypassing all these problems.
-
@jucelio_rosa said in Is it possible to separate a range of ips in the range for a given router?:
that connect to the network from a specific router.
So is this router some wifi router doing nat? Users don't normally "connect" to a network via a router.. Unless your talking some wifi soho thing, or your talking about clients from some other network accessing yours via a route through a router..
Yes pfsense has the ability to create different pools, and use specific mac to assign from those pools. And the ability to create a reservation to give any specific mac address a IP outside the pools but still inside your network, etc... All of which is pretty pointless if you have all kinds of different devices connecting to the network you have no control over and no idea what their macs are.
What it seems like to me is you have some "solution" in mind which is prob not the easy way to accomplish your actual goal..
As jimp has stated - isolating devices into their own network(s) is the best solution..
-
@jimp Thank you so much for replying. I will check with my manager what he wants to do about this matter.
-
Some drawing of how you have this network setup would be helpful. What sounds like to me is you have some wifi router providing internet.
And now you want to bring in some other internet connection via pfsense. And tie it to this network somehow.. A drawing and some details of your actual network would help you skin the cat to accomplish your goals..
One way would be to use this other "router" you have as just an AP, and then provide both internet connections from pfsense, etc.
But we really need to understand what your working with for equipment, and what your actually wanting to do.. Before we start talking about dhcpd and how to assign specific devices IP and info on what "gateway" to use to get to the internet.
-
Not that I'm aware of.
-
Something else to consider if your switches and APs support it might be 802.11x / WAP2 Enterprise using RADIUS.
You could have the clients authenticate before they get an address at all, and the RADIUS server would tell the switches/APs/etc where to put the clients on the network (e.g. a specific SSID, VLAN, or address assignment). That separates the user identification from other parts of the process which are more prone to error.
That may be its own special kind of management headache and end user headache, however. It's much more viable for wireless than wired clients.
At least that way you would know for certain that the clients you want to use a specific network are the correct clients without having to guess by MAC address.
