Cannot add static entry to DHCP server



  • I've been unable to add a static entry to the DHCP server. I am running pfSense 2.3.4. I have two systems that synchronize DHCP between them (CARP). On one system, call it system "B", I cannot add a new entry at all. I can click on the "add" button, fill in the form with a MAC address, an IP, hostname and description and save it. I get confirmation that the static mapping has changed and that I should apply the changes. I hit the apply button but the entry I made is nowhere to be seen. I checked /etc/dhcpd/dhcpd.conf and the entry doesn't appear in it anywhere.

    On the other system, system "A", I do not see the entry. I can add the entry on system "A" and it will show up. If I go back to system "B" and force a synchronization, the entry then disappears from system "A" rather than appearing in system "B".

    I have even tried shutting down the system whose entry I am trying to create, and deleted the leases on both system "A" and system "B". I then tried to add the entry to system "B" and as before, I can fill in the form, save it, apply the changes and the entry is still nowhere to be found.

    I had recently upgraded to pfSense 2.3.4 on both systems and I believe this is the first time creating a DHCP static entry has been attempted.



  • Also, the IP address is not in the dynamic range.



  • I was able to figure out what was wrong. I had been using my own account, i.e. not admin, so I got hit with a new permission.

    I found that there was a permission applied called "User - Config: Deny Config Write" which is described as "If present, ignores requests from this user to write config.xml." Personally, I think an error message of some sort would be more helpful than silently ignoring the change.

    I was thinking this was a DHCP service configuration issue, but it is broader than that. According to this posting: https://forum.pfsense.org/index.php?topic=119244.0, this permission was already present, there was a bug in previous version of pfSense that had not enforced it on LDAP accounts.