Problems in address distribution in DHCP

Itay1787

Hey
I have a problem with IP address distribution in dhcp.

• I do not know if I set it wrong, or it's a bug in the system.

What I would need, and how to setup up everything:
I needed a system that would decide by MAC address, what IP would be given.
setting up then in the following steps:

1. I opened a bridge to himself - lan (picture)
   
2. In the dhcp settings, I set the following settings: (picture)
   
   Then after the normal setting of the dhcp of the bridge and the lan.
   The idea is that those with mac addresses are in lan so they get the dhcp and lan rules. And whoever does not then will move to the bridge and give him the dhcp and his rules.

But unfortunately there is a problem with it in 70% of the time it is not accurate even devices that I added to the mac addresses in lan still sometimes go to the bridge and i have no idea why this happens all the system works fine !! Only this part is not accurate. And devices going through the bridge even though their mac addresses are in lan

Hope you have an idea of ​​why it does this, waiting to hear from you

Thanks Itay

JKnott

@itay1787 said in Problems in address distribution in DHCP:

I needed a system that would decide by MAC address, what IP would be given.

Take a look at the bottom of the DHCP page for "DHCP Static Mappings for this Interface". This is where you assign an IP address to a MAC address. BTW, those IP addresses will have to be outside of the pool range, so you may need to adjust that.

Itay1787

@jknott Yes .... I thought to give a static ip to any MAC address but there are more than 300 addresses and it would be a nightmare to set it up.
And even then, I do not think it will help that because there are some devices I put them static and yet it still happens - rarely but still it happens

JKnott

@itay1787 said in Problems in address distribution in DHCP:

I thought to give a static ip to any MAC address but there are more than 300 addresses and it would be a nightmare to set it up.

Then how do you propose this: "I needed a system that would decide by MAC address, what IP would be given.", without specifying the MAC somehow? pfSense does not filter on MAC address. What you are proposing only affects whether a device gets a DHCP address, but you still have to specify the MAC address. You also say: "I needed a system that would decide by MAC address, what IP would be given.". That is precisely what static mappings does. This will then leave you with two blocks, those with mapped addresses and those without. As I mentioned, they cannot overlap. You can then set up whatever rules you want, based on which block an address is in.

ronron555

Hey, from what I understand the list of the mac addresses are in pfSense already but without IP in the listings.
He want the IP's that are in the list to get DHCP from one interface, and the IP's that are not in the list from another interface (bridge).
This should work but it is not working 100%.

JKnott

@ronron555 said in Problems in address distribution in DHCP:

Hey, from what I understand the list of the mac addresses are in pfSense already but without IP in the listings.

MAC addresses will be listed in the DHCP status page. In there, you can click on the "+" to create a static map to a specific IP address.

I am not aware of any way to force using one DHCP server or another in pfSense. Managed switches can be configured to place a device on a VLAN, based on the MAC, but that's not quite what he wants.

Itay1787

@jknott Hey the MAC addresses are already in the LAN.
Besides VLAN there are still possible?
Do you know someone who uses the method I use? Maybe you can ask someone to help me -who knows what I'm trying to do?

JKnott

@itay1787 said in Problems in address distribution in DHCP:

Hey the MAC addresses are already in the LAN

????

MAC addresses are certainly part of Ethernet frames, but that doesn't do much for you. As I mentioned, there is an easy way to create static mappings. However, I'm still at a loss at what it is you're trying to do. Perhaps if you mentioned the goal, we could advise you on a more suitable method. I really don't understand why you'd need two DHCP servers on a single LAN.

Itay1787

@jknott My goal is that I can separate the devices by their mac addresses. This pfsense is designed for school and I want to create a separation between the teachers and the students because of this i need lan (teachers) will have different rules and different ip addresses. And I already have all the mac addresses of their devices

And students who had their own ip addresses and rules.
At first I thought of setting up vlans with two wifi networks, but because the way the ap is ordered is not really possible.

So I found the method I explained in the first post.
If you have a better way to set it up in pfsense rather than from their devices then it would be great I'm open to suggestions that will help me.

Hope you understand what I want to do.

JKnott

Well, as I mentioned, if you want different IP address ranges, the static mapping will do exactly that. Once that's done, pfSense can use rules for things like access to the Internet, but cannon control behaviour on the local LAN. The method you describes, as I understand it, is to have two DHCP servers, but having the servers provide IP addresses to one set of MACs, but not the other. Is that correct? If so, then you're taking the hard way of doing what static mappings provide. For example, you could configure static addresses, perhaps for the staff, below .100 and normal DHCP, above .100 for others. Another advantage to using static mappings is you can convert a MAC from regular DHCP to static mapped, by selecting it in the DHCP status and then assigning it an address. Trying to do this by somehow having two DHCP servers, where you'd still have to manually add the MAC address is simply the wrong way to do it.

Itay1787

@jknott Let's see if I understood you
You say, set static IP mappings to all the mac addresses I have at the moment? And open to everyone else, dhcp standard?

I do not remember mentioning it
But one of the things I needed two dhcp is because I had to block a lot of things within the network and limit speed. Can I do this with what you suggest (hopefully I understood you)?

JKnott

@itay1787 said in Problems in address distribution in DHCP:

Can I do this with what you suggest (hopefully I understood you)?

Yes. As I mentioned, you will have 2 blocks of IP addresses, those within the normal DHCP pool and those that are static mapped. Since the two cannot overlap, you can set up rules according to which address range. If you go to the filter page, you can filter. The closest I can see for filtering on a block of addresses is the subnet mask part. With that, you would have to place the boundary between the two blocks on a power of 2. For example, if you have a total address space of 512, which you'd need for 300 hosts, then you could use a /24 sub net mask in the filter. However, I haven't tried this myself, so perhaps someone else can advise further. Regardless, no matter how you assign addresses to the different blocks, the method to filter them would be the same.

I can't think of a better way to achieve what you want, given you can't use a 2nd SSID & VLAN on the access point. If you could, this would be a lot easier.

ronron555

@jknott What do mean by "filter page"?

JKnott

@ronron555 said in Problems in address distribution in DHCP:

@jknott What do mean by "filter page"?

In pfSense, click on Firewall > Rules. It's where you create the rules to filter traffic.

johnpoz

@itay1787 said in Problems in address distribution in DHCP:

This pfsense is designed for school and I want to create a separation between the teachers and the students because of this i need lan (teachers) will have different rules and different ip addresses.

This done via VLAN... PERIOD!!! If your AP does not support vlans, then get new AP that does.. Or just use different AP for each vlan.. Same goes for switches - you need vlan capable switches unless all of your clients are wireless.

If what you want to do is allow different users to access different internet pages, this can be done with proxy, and or restrictions can be done with captive portal, etc.

akuma1x

I would do this one of two different ways: 2 separate physical interfaces, or 2 separate virtual interfaces.

Put all teachers on one interface, put all students on the other interface. You can then DHCP and work with the pile of MAC & IP addresses all you want, for each interface. If you want traffic to cross-over from one interface to the other, simply write the proper firewall rules on pfsense.

Do NOT use bridging.

Jeff

Itay1787

@jknott Hey, after the new changes I made to pfsense on your advice it seems that the problem was gone, everything works great.
There is only one problem - I have to block all "STUDENTS_Network" from "LAN"
Meaning that they would have access only to the Internet and nothing else.
Please look at the picture I attached.

johnpoz

Where is this students network - I only see lan and admin_vlan

Where is the students vlan?

Itay1787

@johnpoz There is no vlan. This is alias

Derelict

In that configuration any student who wants to can just set a static IP address on the teacher LAN and be on it.

That is implementing almost no security at all. Or, worse, just an illusion of security.

If that is a business requirement, someone is going to have to buy some gear that supports 802.1q. Or duplicate the layer 2 gear for two separate LANs with different router interfaces.