Ability to route to different gateways based on DHCP ip address returned



  • My goal is to have a way to route to different gateway by getting 2 different IP address automatically assigned from my DHCP Router/Access Point  and each ip address would be configured differently in my pfsense NAT/Firewall either route via ISP Gateway or route via OpenVPN Client Gateway.

    Basically ability to quickly switch ip address and router to different gateway.

    Question #1:  Is there a way to have 2 DHCP Servers with responsible for different IP Range within same subnet without using VLANs ?  ( I know I can easily have each SSID per VLAN but then I need to install IGMP PRoxy)

    Question #2 Is there a way to change something on the client machine beside the MAC address/static IP address  that can force the DHCP Server to provide a different IP address  to the client? (Android Mobile Phone, Tablet, Laptop, notebook)

    Thank you all



  • I'm new to this, so bear with me, but: why would you want two DHCP servers on the same subnet? That seems odd. I think it's more common to see one DHCP server for each interface, and two have the interface subnets be separate.

    As for your #2, I think the answer is no, and why would you want to? The client MAC is the most common way to identify a client for the purposes of static mappings.



  • Thinking further - is this your intent?

    • Based on (??) criteria, DHCP clients on the LAN side are assigned to either the ISP or the VPN
    • If assigned to the ISP, forward DHCP requests to the ISP DHCP server
    • If assigned to the VPN, forward DHCP requests to the VPN DHCP server
    • Do not use NAT.

    What kind of criteria do you have to "quickly switch" between the VPN and the ISP? Is this done in runtime automatically, or manually? In the firewall itself or from the client? Is it static (per-client) or does the client need to change between the two?



  • @ChefRayB:

    My goal is to have a way to route to different gateway by getting 2 different IP address automatically assigned from my DHCP Router/Access Point  and each ip address would be configured differently in my pfsense NAT/Firewall either route via ISP Gateway or route via OpenVPN Client Gateway.

    Basically ability to quickly switch ip address and router to different gateway.

    Question #1:  Is there a way to have 2 DHCP Servers with responsible for different IP Range within same subnet without using VLANs ?  ( I know I can easily have each SSID per VLAN but then I need to install IGMP PRoxy)

    Question #2 Is there a way to change something on the client machine beside the MAC address/static IP address  that can force the DHCP Server to provide a different IP address  to the client? (Android Mobile Phone, Tablet, Laptop, notebook)

    Thank you all

    What, exactly, are you trying to do?

    If you're trying to set up load balancing, there is a bit more to it than that.  With Cisco gear, they set up a virtual IP address for the router and then whenever an arp request for the virtual IP is made, hand out a different (virtual) MAC address for that virtual IP.  The virtual MACs are assigned to all the routers, so that each one is used in a more or less balanced manner.

    I'm new to this, so bear with me, but: why would you want two DHCP servers on the same subnet?

    Redundancy.  Multiple DHCP servers are often used in large networks.  It doesn't matter which one responds to a client.  However, there has to be some means to ensure the same IP address is not handed out to more than one device.  These days, devices usually do an arp request, to verify an address is not in use, before using it.  You could also configure each DHCP server to hand out a different portion of the address pool.



  • @JKnott:

    What, exactly, are you trying to do?

    I want the luxury and comfort to have the ability to change SSDI, receive another range of ip address within the same subnet so that I can have my outgoing internet being routed either via ISP or OpenVPN (I will put rule in my pfsense based on the ip range).  But when I change SSDI, I don't want to be in another subnet or in another VLAN because then all application that use same subnet protocols (IGMP, PIM) won't work anymore  (e.g. Sonos).

    Subnet 192.168.1.0
    SSDI ISP 192.168.1.1-128
    SSDI VPN 192.168.1.129-254
    pfsense route 1-128 through ISP Gateway and 129-254 through OpenVPN Gateway.

    I am fully aware I can have a separate VLAN for each SSDI but then my same subnet protocls (IGMP, PIM) won't be routed across VLAN.  I am fully aware I can change the IP Address statically on my client and achieve what I want to do but I want do it it automatically so that I don't need to type anything or setup DNS, etc….

    I bought ubiquity AP Lite (Still in the box) but the AP used the DHCP from the subnet interface.

    If this is not possible, then perhaps I will be stuck always setting up manually ip address on my Tablet Android, on Computer to switch IP Address.... perhaps write myself a small application.



  • Why do you need them in the same subnet?



  • @JKnott:

    Why do you need them in the same subnet?

    If I have them in the same subnet, then I dont' need to configure anything in the future, any multicast protocol would work  (IGMP, PIM[dense|sparse|SourceSpecific], SSDP, etc….)

    I was hoping to keep everything in 1 subnet but I want the luxury to have multiple SSIDs which allows me to dictate the gateway to route through internet rather being forced to change static IP Address each time I want to use a different gateway to route through internet.

    Hope it makes it clear.



  • @ChefRayB:

    @JKnott:

    Why do you need them in the same subnet?

    If I have them in the same subnet, then I dont' need to configure anything in the future, any multicast protocol would work  (IGMP, PIM[dense|sparse|SourceSpecific], SSDP, etc….)

    I was hoping to keep everything in 1 subnet but I want the luxury to have multiple SSIDs which allows me to dictate the gateway to route through internet rather being forced to change static IP Address each time I want to use a different gateway to route through internet.

    Hope it makes it clear.

    Unfortunately it doesn't.  You seem to be going through a lot of trouble for reasons that escape me.  On one hand you want things to be on the same network, but on the other, you don't.



  • I'm also unclear on the reasoning here.

    If you're worried about "same-subnet protocols" not working, there are specific provisions in pfSense to accommodate for (for example) broadcast between subnets; further reading: https://doc.pfsense.org/index.php/IGMP_Proxy



  • @reinderien:

    I'm also unclear on the reasoning here.

    If you're worried about "same-subnet protocols" not working, there are specific provisions in pfSense to accommodate for (for example) broadcast between subnets; further reading: https://doc.pfsense.org/index.php/IGMP_Proxy

    IGMP Proxy is buggy

    @JKnott:

    Perhaps a real scenario would help:

    I take my Tablet Select SSID A,  go on website  www.whatismyip.com  and is says Canada,  I go on netflix Canada.
    I take the same Tablet, change to SSID A,  go on website www.whatismyip.com and it says  USA,  I go on netflix USA, Hulu USA
    I take the same table, change to SSID C,  go on website www.whatismyip.com and it says UK,  I go on netflix UK

    Despite whichever SSID I pick (A or B or C)  I still wish to remain in the same subnet so that all my Synology NAS, Sonos, Wireless Printer, IP TV and all whatever protocol that usually works just within a subnet works on my tablet.

    I am aware of the work arounds:

    • use VLAN and either use IGMP Proxy, Avahi or stop using those home protocols ( clickely clickely )
    • Simply change the ip address manually on the tablet to a different range within the same subnet ( I can even write Android application that does that….I know...)
    • Simply use OpenVPN Android software directly on the tablet, create a OpenVPN directly from Tablet

    The whole purpose of the thread was to see if I can find a method to leverage multiple SSID / DHCP.

    I won't be pursuing this anymore....it's looks like a dead end....



  • @ChefRayB:

    I take the same Tablet, change to SSID A,  go on website www.whatismyip.com and it says  USA

    Here I assume you meant SSID B.

    @ChefRayB:

    I won't be pursuing this anymore….it's looks like a dead end....

    Not so fast! I have not tried this myself, but perhaps you could use policy-based routing. I propose:

    • Do not use multiple LAN DHCP servers; only use one
    • Do not use multiple LAN subnets; only use one
    • You have one interface for each of the three APs, plus a bridge interface that bridges them all together.
    • Do not assign any of the AP interfaces to have an IP. Only assign an IP to the bridge.
    • Have three different gateways, one for each VPN.
    • For each AP interface, create a firewall rule for policy-based routing. This requires going to Firewall / Rules, and under Advanced, selecting the appropriate Gateway.

    I'd be interested to hear whether this works. You might need to change some of the tunables relating to bridge filtering.



  • Interesting ! :) So basically bridge 3 interfaces together within 1 subnet, use 1 dhcp (not choice if bridged) but then use the interfaces for rules for gateway. ;D

    Can anybody here confirm what Reinderien suggested ?

    It might take me a bit of time to re-produce,  I need to bridge 2 interfaces together ( never did that ).

    Wonder if I can bridge 2 VLAN, need to read on that also.

    okay, before giving up, your suggestion does merit some investigation :)



    • Do not use multiple LAN subnets; only use one

    Access points that support multiple SSIDs generally use VLANs.  You can't have the same network on different VLANs.



  • @JKnott:

    Access points that support multiple SSIDs generally use VLANs.  You can't have the same network on different VLANs.

    Thanks. That's true, I didn't think about that (ubiquity supports 4 SSIDs but they are VLANS) 
    I have an extra old router that has AP mode (2.4GHZ only) that I can plug and create an interface.
    I don't mind buying a few access point if I can make this work !  :)

    Would it work ?



  • @ChefRayB:

    Would it work ?

    Dunno, and I don't have multiple APs to try. You could try it with one or more cheap APs-on-a-USB-stick.



  • The problem with what he wants is there is no way, short of VLANs, for pfSense to do what he wants.  His first problem is having some difference that can be recognized.  For example, the MAC address will not change with different SSID, so a DHCP server can't issues a specific IP address.  With VLANs, it's a simple matter to have a different address range that can be filtered, but he doesn't want to do that.



  • @JKnott:

    the MAC address will not change with different SSID

    It will if the SSIDs are offered over different interfaces.



  • Since he wants them to be in the same subnet, sooner or later they'll be on the same network/interface.  There's no way around that, given he wants multicasts etc. to work.



  • That means the earlier suggestion of reinderien of bridging the interfaces together won't work because you can only have 1 DHCP per bridged interfaces ?

    So the only way to achieve this is VLAN which comes with it's caveat such as difficulty to have SONOS appliances working across VLAN.

    If I want to stick to the same subnet, I have only 2 choices

    1. Manually change the IP ( Boring…. it's so 90's....)

    2. Write little Android App / Win 32 App that I press a button and it switches IP address.  At that point, mind as well use OpenVPN software.  Some VPN providers only allow 1 OpenVPN Tunnel connectivity.

    Thank you all for you help & suggestion



  • @ChefRayB:

    That means the earlier suggestion of reinderien of bridging the interfaces together won't work because you can only have 1 DHCP per bridged interfaces ?

    You can certainly have more than one DHCP server and that's often done for redundancy.  However, expecting a DHCP server to know whether you want to use it will not work.  When a device makes a DHCP request, any server can respond and generally the first response is used.