• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Multi Subnet DHCP - Subnets Sharing DHCP Reservations?

Scheduled Pinned Locked Moved DHCP and DNS
7 Posts 3 Posters 424 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    maxxxxpower
    last edited by Jan 19, 2018, 11:21 AM

    Running pf 2.4.2. I have 5 subnets, with DHCP for each handled by PF. Each subnet is it's own NIC, with an uplink to a Cisco 2960 with VLAN port groups setup. Each subnet has it's own uplink to the PF box within it's port group.

    For each subnet, I have enabled the "Only the clients defined below will get DHCP leases from this server" option.

    My problem is, when I connect an "approved" device from one subnet into the router of another, it gets an IP from that subnet (for which it is not defined/listed) and everything works fine for that device.

    Should it not deny because it is not defined for that particular sub? Or are the DHCP servers sharing info?

    To clarify:

    Subnet A - deny all except below: Device 1 Device 2 Device 3

    Subnet B - deny all except below Device 4 Device 5

    Now when I plug device 5 into the switch for Subnet A, it gets an IP in the Subnet A range, despite not being defined for that sub.

    1 Reply Last reply Reply Quote 0
    • M
      maxxxxpower
      last edited by Jan 19, 2018, 1:16 PM

      Network image to maybe make my rambling clearer. Each VLAN on PF has it's own physical NIC. Cisco switch has been configured as pictured; ports grouped and assigned a single VLAN.

      PC A is defined in the DHCP scope for vlan100, but not vlan99. Were I to plug PC A into a port for vlan100, it would get a vlan100 IP despite not being listed as a known device for that subnet.

      1 Reply Last reply Reply Quote 0
      • J
        JKnott
        last edited by Jan 19, 2018, 2:50 PM

        I have a 2nd NIC on my pfSense box and my notebook gets a correct address on both.  On my main LAN, I have an IP address mapped to the MAC, but just plain DHCP on the other interface.  So, it works fine here.  Do you have DHCP set up individually on each interface?

        Also, Cogeco provides IPv6.  Are you doing anything with that?

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • M
          maxxxxpower
          last edited by Jan 19, 2018, 3:13 PM Jan 19, 2018, 2:59 PM

          Thanks for the reply.

          PC A is listed in the DHCP server (no static IP, use the pool) for vmx5/vlan100, but not for vmx1/vlan99. HOWEVER, if I plug that device into vlan99, it gets a vlan99 address from the vmx1/vlan99 pool, despite NOT being defined for that DHCP server (and I have confirmed the DHCP is supposed to deny clients not listed).

          IPv6 is disabled/blocked as I prefer to deal with IPv4 mappings/firewall rules.

          ***I guess it should be noted that the WAN IP of the pfSense box is on the Cogeco router's DMZ.

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by Jan 19, 2018, 4:22 PM Jan 19, 2018, 4:17 PM

            So you list the MAC address in vlan100 but do not assign an IP and just let it grab an IP from the vlan 100 pool… And you feel that when this MAC connects to vlan 99 it should not get an IP... You have denied unknown hosts in the vlan 99 settings..

            But the thing is the host is NOT unknown, its known by the dhcp server since the dhcp server shares this info.. There was threads about this awhile back - there might even be a redmine entry about it?  Would have to look..

            edit:  I knew this had come up before... Its documented behavior, check out this thread from 2015
            https://forum.pfsense.org/index.php?topic=91391.0

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • M
              maxxxxpower
              last edited by Jan 19, 2018, 5:37 PM Jan 19, 2018, 4:25 PM

              Thanks john, that is what I feared. That what I thought were separate DHCP servers, in fact shared the known hosts.

              I will try to google some more to see what I can do!

              **found reference here: https://forum.pfsense.org/index.php?topic=91391.0

              Duh. Didn't see your edit.

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by Jan 19, 2018, 5:57 PM Jan 19, 2018, 5:52 PM

                Here is redmine that is pretty much the same problem that is really old.

                https://redmine.pfsense.org/issues/1605

                And here is the one that Phil put in
                https://redmine.pfsense.org/issues/4584

                They don't seem to be getting any traction on this..  I assume your current version of pfsense and still and issue..  When I get home I will try and duplicate and then update the phil redmine entry to see if we can get any traction on this.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received