Non-Static DHCP Clients Blocked
-
Hi,
My apologies, not sure if this is really a DHCP or firewall issue - but let me try to explain.
Got a bit of a nasty surprise on Christmas - had folks over, gave them access to my WiFi network. They received IP addresses from the dynamic pool, but couldn't access the internet from their devices. Did a bit of debugging, and it seems that if I have Static ARP enabled, then any dynamic clients cannot access … well, basically anything ... :(. I do see a note now about "Only the machines listed below will be able to communicate with the firewall on this interface." => but I guess that means non-static clients are basically dead. Is that really the case?
It may be me, but I would think both static and dynamic can be made to work, no? I need static ARP (MAC => IP address mapping) for some devices, but still want real dynamic devices to work as well. Any direction on how to make this work?
BTW also ... I noticed that with Static ARP enabled - in the DHCP Client status table, static devices always show as online then (even if they are not), and have a "person" icon. But dynamic devices always show as offline (even if online), and show as a check mark?
Any way to make this all function?
Thanks!
-
Well, the static arp settings has this:
This option persists even if DHCP server is disabled. Only the machines listed below will be able to communicate with the firewall on this interface.
So, unless you added their MAC addresses, they won't work.
Why are you using static ARPs anyway? What does it get you? The ARP cache is used only to map an IP address to a MAC address. If a device doesn't know the MAC address, it sends an ARP request and then adds the returned MAC address to the cache.
The only time I've ever had to use static ARPs. is to configure a device that needed an IP address to be configured, but didn't have one initially. For those devices, I had to create an ARP cache entry for the device and then ping it with a specific size packet. The device would then learn it's IP address from that ping.
Bottom line, turn of static ARP. You don't need it.
-
Hi,
Unfortunately I do need Static ARP - can't turn it off unfortunately … :(. It's for Load Balancing (some server items), that require fixed IP addresses - confirmed before by folks here that I can't use hostnames, so I do need fixed IP addresses.
Other ideas?
Thanks!
-
Then you'll need a separate DHCP server to work with the guest devices. A cheap router will do. You can also do it with a Linux or BSD box.
-
"that require fixed IP addresses - confirmed before by folks here that I can't use hostnames, so I do need fixed IP addresses."
What does that have to do with static arp?? Zero.. would be my answer to that question ;)
I think the term has confused you.. You can have static IP devices on your network, you can even have a static arp entry in your arp table for them This has zero to do with turning on the static arp feature.. That tells pfsense ONLY talk to devices you have static arps for..
-
that require fixed IP addresses
Then you need static DHCP mappings, not static ARP. You can easily do that on the DHCP Server page, way at the bottom under "DHCP Static Mappings for this Interface". You configure the desired IP address for the MAC address.
-
Yes, I think I misunderstood the difference between the two = thanks!
So to confirm … DHCP Static Mappings are taken into use independent of the Static ARP setting (i.e. checkbox) - do I have that right?
Again, thanks for clarifying!
-
Yes, you use static DHCP mappings to ensure a device always gets the same IP address. In general practice, you'd assign addresses outside of the DHCP pool used for other devices. For example, if your DHCP pool was .100 to .199, you could assign static addresses outside of that range, though it's not necessary to do so.
-
That part I did do right … ;)
Thanks again for the help!!!
