Multi Subnet DHCP - Subnets Sharing DHCP Reservations?

  • Running pf 2.4.2. I have 5 subnets, with DHCP for each handled by PF. Each subnet is it's own NIC, with an uplink to a Cisco 2960 with VLAN port groups setup. Each subnet has it's own uplink to the PF box within it's port group.

    For each subnet, I have enabled the "Only the clients defined below will get DHCP leases from this server" option.

    My problem is, when I connect an "approved" device from one subnet into the router of another, it gets an IP from that subnet (for which it is not defined/listed) and everything works fine for that device.

    Should it not deny because it is not defined for that particular sub? Or are the DHCP servers sharing info?

    To clarify:

    Subnet A - deny all except below: Device 1 Device 2 Device 3

    Subnet B - deny all except below Device 4 Device 5

    Now when I plug device 5 into the switch for Subnet A, it gets an IP in the Subnet A range, despite not being defined for that sub.

  • Network image to maybe make my rambling clearer. Each VLAN on PF has it's own physical NIC. Cisco switch has been configured as pictured; ports grouped and assigned a single VLAN.

    PC A is defined in the DHCP scope for vlan100, but not vlan99. Were I to plug PC A into a port for vlan100, it would get a vlan100 IP despite not being listed as a known device for that subnet.

  • I have a 2nd NIC on my pfSense box and my notebook gets a correct address on both.  On my main LAN, I have an IP address mapped to the MAC, but just plain DHCP on the other interface.  So, it works fine here.  Do you have DHCP set up individually on each interface?

    Also, Cogeco provides IPv6.  Are you doing anything with that?

  • Thanks for the reply.

    PC A is listed in the DHCP server (no static IP, use the pool) for vmx5/vlan100, but not for vmx1/vlan99. HOWEVER, if I plug that device into vlan99, it gets a vlan99 address from the vmx1/vlan99 pool, despite NOT being defined for that DHCP server (and I have confirmed the DHCP is supposed to deny clients not listed).

    IPv6 is disabled/blocked as I prefer to deal with IPv4 mappings/firewall rules.

    ***I guess it should be noted that the WAN IP of the pfSense box is on the Cogeco router's DMZ.

  • LAYER 8 Global Moderator

    So you list the MAC address in vlan100 but do not assign an IP and just let it grab an IP from the vlan 100 pool… And you feel that when this MAC connects to vlan 99 it should not get an IP... You have denied unknown hosts in the vlan 99 settings..

    But the thing is the host is NOT unknown, its known by the dhcp server since the dhcp server shares this info.. There was threads about this awhile back - there might even be a redmine entry about it?  Would have to look..

    edit:  I knew this had come up before... Its documented behavior, check out this thread from 2015

  • Thanks john, that is what I feared. That what I thought were separate DHCP servers, in fact shared the known hosts.

    I will try to google some more to see what I can do!

    **found reference here:

    Duh. Didn't see your edit.

  • LAYER 8 Global Moderator

    Here is redmine that is pretty much the same problem that is really old.

    And here is the one that Phil put in

    They don't seem to be getting any traction on this..  I assume your current version of pfsense and still and issue..  When I get home I will try and duplicate and then update the phil redmine entry to see if we can get any traction on this.

Log in to reply