Assigning IP addresses
-
I'm relatively new to using pfSense, and am trying to limit the range of IP addresses available for DHCP leases... but wireless devices keep connecting to an IP address outside of that range. We do have a WAP but as far as I can tell it does not have its own DHCP server.
Picture attached. I'm trying to assign addresses 129-253 out of our IP block, but I can verify that right now my laptop is connected with an assigned IP address of 192.168.123.35 - help?
-
Did .35 get its address from before you modified the scope? Make sure you delete the old lease on pfsense, and have client get a new IP from the current scope.
-
@johnpoz No the scope was modified a long time ago and this has been a recurring issue. The laptop I'm using did not have a prior lease because I just brought it in to test this out.
-
What does dhcpd log say? If the scope is set for .x to .y it wouldn't be handing out .g for example.. None of my scopes use the full range of IPs available in the network. All clients get IP from scope assigned.
You sure you maybe don't have something else handing out IPs? I would look to the log, you should see the client asking and what it got back, etc. be it a renew or discover.. If you don't see the log entry pfsense didn't hand out the lease.
example - here is request for specific IP from one client, and then you also see the discover, offer, request and then ack for client asking for new IP, etc..
-
@johnpoz You are right - something else is handing out the leases. In the logs it says "unknown lease". I've checked the settings for our WAP device and there's nothing in there about DHCP. Any suggestions?
-
@elitehuskarl said in Assigning IP addresses:
In the logs it says "unknown lease"
You should be able to look on the client to who the dhcp server was that handed out its IP..
As to discovery, simple nmap scan with the dhcp discover script should show you what is answering dhcp..
example - my network, there is only the pfsense handing out dhcp on that vlan.. But you get the idea..
root@NewUC:/home/user# nmap --script broadcast-dhcp-discover Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-14 11:49 CDT Pre-scan script results: | broadcast-dhcp-discover: | Response 1 of 1: | IP Offered: 192.168.2.215 | DHCP Message Type: DHCPOFFER | Server Identifier: 192.168.2.253 | IP Address Lease Time: 5m00s | WPAD: | | Subnet Mask: 255.255.255.0 | Router: 192.168.2.253 | Domain Name Server: 192.168.3.10 | Domain Name: local.lan |_ NTP Servers: 192.168.3.32, 192.168.2.253 WARNING: No targets were specified, so 0 hosts scanned. Nmap done: 0 IP addresses (0 hosts up) scanned in 1.81 seconds root@NewUC:/home/user#
on windows client to see who the dhcp server was that answered - ipconfig /all
Connection-specific DNS Suffix . : local.lan Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller #2 Physical Address. . . . . . . . . : 00-13-3B-2F-67-63 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.9.202(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Wednesday, July 14, 2021 11:52:40 AM Lease Expires . . . . . . . . . . : Sunday, July 18, 2021 11:52:40 AM Default Gateway . . . . . . . . . : 192.168.9.253 DHCP Server . . . . . . . . . . . : 192.168.9.253 DNS Servers . . . . . . . . . . . : 192.168.3.10 NetBIOS over Tcpip. . . . . . . . : Enabled
Could you post the actual log where your seeing that.. Client will also ask to renew his old IP, which could be in your range that he got elsewhere.. And when not renewed, he is just continuing to use his old IP.
What did dhcp server send back to his dhcprequest?
-
@johnpoz Thank you for these tips; using ipconfig I was able to see that the DHCP service was turned on for one of the DCs. In retrospect that seems obvious but I am brand new to all of this.
Now I have to figure out which is better to use as the DHCP server - pfSense or Windows Server. Any input? I want to be able to prevent any rogue DHCP servers from coming on to our network.
-
Are you a MS shop? If your running AD - it pretty clear you should just use your AD for dns and dhcp.. Its part of MS design, etc.
Running them on something else doesn't get you really anything. You can run dns and dhcp on pfsense sure. But why when you already have a well rounded feature rich dns and dhcp that integrates by design with your AD.
Moving these services to pfsense will only complicate the setup.
You can leverage unbound, and pfblocker very easy by just setting your AD dns to forward to pfsense to let it do your internet resolving, and blocking of stuff on dns via pfblocker lists, etc.
If me - and I had AD setup... I would just use it for dns and dhcp. It just makes sense to do it that way with all your clients pointing their for dns.. Setup AD dns to forward to unbound, and let it resolve your public stuff.
I would also setup unbound with domain override for your AD domain and PTR zones so that pfsense can resolve your client IPs for hits in your firewall, etc.
As to blocking unwanted dhcp servers - what switches are you using, you would normally block unwanted dhcp traffic via dhcp snooping. This would be done on your switch(es)