DHCP - MAC Address Control issue



  • Hi everybody,

    Need help with my setup:

    => Have 1 x pfsense + 1 x Netgear Managed Switch

    I have setup a DHCP Server [10.1.1.1-99/24] with an additional pool [10.1.1.100-150/24] on pfsense.

    The additional pool is set with MAC Allow. MAC allow includes a partial MAC for UniFi AP [80:2A:A8].

    ….....
    Plugged out AP
    Restarted DHCP Server
    Erase DHCP Lease for AP
    Restarted Switches and flushed address Table.
    Plugged AP
    ........

    DHCP leases IP 10.1.1.12

    .......
    Plugged a new AP
    .......

    DHCP leases IP 10.1.1.13

    What am I doing wrong ?


  • Galactic Empire

    I think the issue is the two pools.

    "If an IPv4 address is entered, the address must be outside of the pool.
    If no IPv4 address is given, one will be dynamically allocated from the pool." << not sure what happens when there are 2 pools.

    You can assign IP addresses via dhcp without a pool.

    Remove the 10.1.1.1-99 or the 10.1.1.100-150 pool and hard code the full mac address and ip address from the pool you removed.



  • Thank you for your reply.

    Here is what I tried:

    • Removed 10.1.1.1-99 pool. -> AP got IP from 10.1.1.100-150 pool …. logic
    • Activate 1-99 pool again. Add full MAC Address from AP to 100-150 pool. AP gets IP from 1-99pool
    • In 1-99 pool interface, Add MAC address from AP to Static MAC filtering with a dedicated IP -> AP get's it.

    .... think a little bit....

    • Add MAC deny rule in 1-99 pool with partial MAC from AP. Add MAC allow rule in 100-150. -> AP get's IP from 100-150 pool. (work around?)
    • Keep the same settings, add cross to Deny Unknown Clients ... AP get's no IP.

    Read -> https://doc.pfsense.org/index.php/DHCP_Server#MAC_Address_Control

    Listing a MAC address in the allow list will permit a client to use this pool AND it will prevent any other MAC address not in this allow list from using the pool. This does NOT prevent the specified MAC address from using other pools, it must also be denied there.

    Conclusion
    What I understand is I need to deny partial MAC of AP in other pools and allow partial MAC to his dedicated pool.


  • Galactic Empire

    You do know Ubiquity have a bunch of different mac address allocated to them ?

    00:15:6D Ubiquiti Networks Inc.
    00:27:22 Ubiquiti Networks Inc.
    04:18:D6 Ubiquiti Networks Inc.
    24:A4:3C Ubiquiti Networks Inc.
    44:D9:E7 Ubiquiti Networks Inc.
    68:72:51 Ubiquiti Networks Inc.
    78:8A:20 Ubiquiti Networks Inc.
    80:2A:A8 Ubiquiti Networks Inc.
    B4:FB:E4 Ubiquiti Networks Inc.
    DC:9F:DB Ubiquiti Networks Inc.
    F0:9F:C2 Ubiquiti Networks Inc.
    FC:EC:DA Ubiquiti Networks Inc.



  • Yes sir, i do know the fact that unifi has different MAC address.

    But the ap i use for my test has 80:a2:a8 ….



  • For those who are interested, here's the solution:

    Create a DHCP Server [10.1.1.1-99/24] with an additional pool [10.1.1.100-150/24].

    -> Add MAC Deny for DHCP Server [10.1.1.1-99/24]: DC:9F:DB,78:8A:20,24:A4:3C,00:15:6D,FC:EC:DA,B4:FB:E4,68:72:51,04:18:D6,F0:9F:C2,80:2A:A8,44:D9:E7,00:27:22

    Go to additionnal pool [10.1.1.100-150/24]

    -> Add domain name: localdomain
    -> Add domain search list: localdomain
    -> Add MAC Allow: DC:9F:DB,78:8A:20,24:A4:3C,00:15:6D,FC:EC:DA,B4:FB:E4,68:72:51,04:18:D6,F0:9F:C2,80:2A:A8,44:D9:E7,00:27:22

    Go to Services -> DNS Resolver

    -> Add Host Overrides: Host: unifi, Domain:localdomain, IP: <whereyourunificontrollerisinstalled>-> Add Domain Overrides: Domain: localdomain, IP: <whereyourunificontrollerisinstalled></whereyourunificontrollerisinstalled></whereyourunificontrollerisinstalled>


  • Rebel Alliance Global Moderator

    Why would you not just create a reservation for your AP mac, so it always gets the IP address you want it to get?  This would be much simpler than creating pools with deny - wouldn't it?

    Are you setting this up so a bunch of AP can be deployed without knowing what their mac is?  If so then what your doing makes more sense.. So you plan on deploying like 50 AP?



  • Indeed I will deploy between 20 to 100 AP at each customer. But before performing this, I needed to get it work on our test setup..


  • Rebel Alliance Global Moderator

    Ah - then yeah this makes sense.  Thanks for feeding my curiosity cat ;)  He gets real cranky when info is missing - hehehe