Problems in address distribution in DHCP



  • Hey
    I have a problem with IP address distribution in dhcp.

    • I do not know if I set it wrong, or it's a bug in the system.

    What I would need, and how to setup up everything:
    I needed a system that would decide by MAC address, what IP would be given.
    setting up then in the following steps:

    1. I opened a bridge to himself - lan (picture)
      0_1547396494844_‏‏צילום מסך (68).png
    2. In the dhcp settings, I set the following settings: (picture)
      0_1547396517048_‏‏צילום מסך (69).png
      Then after the normal setting of the dhcp of the bridge and the lan.
      The idea is that those with mac addresses are in lan so they get the dhcp and lan rules. And whoever does not then will move to the bridge and give him the dhcp and his rules.

    But unfortunately there is a problem with it in 70% of the time it is not accurate even devices that I added to the mac addresses in lan still sometimes go to the bridge and i have no idea why this happens all the system works fine !! Only this part is not accurate. And devices going through the bridge even though their mac addresses are in lan

    Hope you have an idea of ​​why it does this, waiting to hear from you

    Thanks Itay



  • @itay1787 said in Problems in address distribution in DHCP:

    I needed a system that would decide by MAC address, what IP would be given.

    Take a look at the bottom of the DHCP page for "DHCP Static Mappings for this Interface". This is where you assign an IP address to a MAC address. BTW, those IP addresses will have to be outside of the pool range, so you may need to adjust that.



  • @jknott Yes .... I thought to give a static ip to any MAC address but there are more than 300 addresses and it would be a nightmare to set it up.
    And even then, I do not think it will help that because there are some devices I put them static and yet it still happens - rarely but still it happens



  • @itay1787 said in Problems in address distribution in DHCP:

    I thought to give a static ip to any MAC address but there are more than 300 addresses and it would be a nightmare to set it up.

    Then how do you propose this: "I needed a system that would decide by MAC address, what IP would be given.", without specifying the MAC somehow? pfSense does not filter on MAC address. What you are proposing only affects whether a device gets a DHCP address, but you still have to specify the MAC address. You also say: "I needed a system that would decide by MAC address, what IP would be given.". That is precisely what static mappings does. This will then leave you with two blocks, those with mapped addresses and those without. As I mentioned, they cannot overlap. You can then set up whatever rules you want, based on which block an address is in.



  • Hey, from what I understand the list of the mac addresses are in pfSense already but without IP in the listings.
    He want the IP's that are in the list to get DHCP from one interface, and the IP's that are not in the list from another interface (bridge).
    This should work but it is not working 100%.



  • @ronron555 said in Problems in address distribution in DHCP:

    Hey, from what I understand the list of the mac addresses are in pfSense already but without IP in the listings.

    MAC addresses will be listed in the DHCP status page. In there, you can click on the "+" to create a static map to a specific IP address.

    I am not aware of any way to force using one DHCP server or another in pfSense. Managed switches can be configured to place a device on a VLAN, based on the MAC, but that's not quite what he wants.



  • @jknott Hey the MAC addresses are already in the LAN.
    Besides VLAN there are still possible?
    Do you know someone who uses the method I use? Maybe you can ask someone to help me -who knows what I'm trying to do?



  • @itay1787 said in Problems in address distribution in DHCP:

    Hey the MAC addresses are already in the LAN

    ????

    MAC addresses are certainly part of Ethernet frames, but that doesn't do much for you. As I mentioned, there is an easy way to create static mappings. However, I'm still at a loss at what it is you're trying to do. Perhaps if you mentioned the goal, we could advise you on a more suitable method. I really don't understand why you'd need two DHCP servers on a single LAN.



  • @jknott My goal is that I can separate the devices by their mac addresses. This pfsense is designed for school and I want to create a separation between the teachers and the students because of this i need lan (teachers) will have different rules and different ip addresses. And I already have all the mac addresses of their devices

    And students who had their own ip addresses and rules.
    At first I thought of setting up vlans with two wifi networks, but because the way the ap is ordered is not really possible.

    So I found the method I explained in the first post.
    If you have a better way to set it up in pfsense rather than from their devices then it would be great I'm open to suggestions that will help me.

    Hope you understand what I want to do.



  • Well, as I mentioned, if you want different IP address ranges, the static mapping will do exactly that. Once that's done, pfSense can use rules for things like access to the Internet, but cannon control behaviour on the local LAN. The method you describes, as I understand it, is to have two DHCP servers, but having the servers provide IP addresses to one set of MACs, but not the other. Is that correct? If so, then you're taking the hard way of doing what static mappings provide. For example, you could configure static addresses, perhaps for the staff, below .100 and normal DHCP, above .100 for others. Another advantage to using static mappings is you can convert a MAC from regular DHCP to static mapped, by selecting it in the DHCP status and then assigning it an address. Trying to do this by somehow having two DHCP servers, where you'd still have to manually add the MAC address is simply the wrong way to do it.



  • @jknott Let's see if I understood you
    You say, set static IP mappings to all the mac addresses I have at the moment? And open to everyone else, dhcp standard?

    I do not remember mentioning it
    But one of the things I needed two dhcp is because I had to block a lot of things within the network and limit speed. Can I do this with what you suggest (hopefully I understood you)?



  • @itay1787 said in Problems in address distribution in DHCP:

    Can I do this with what you suggest (hopefully I understood you)?

    Yes. As I mentioned, you will have 2 blocks of IP addresses, those within the normal DHCP pool and those that are static mapped. Since the two cannot overlap, you can set up rules according to which address range. If you go to the filter page, you can filter. The closest I can see for filtering on a block of addresses is the subnet mask part. With that, you would have to place the boundary between the two blocks on a power of 2. For example, if you have a total address space of 512, which you'd need for 300 hosts, then you could use a /24 sub net mask in the filter. However, I haven't tried this myself, so perhaps someone else can advise further. Regardless, no matter how you assign addresses to the different blocks, the method to filter them would be the same.

    I can't think of a better way to achieve what you want, given you can't use a 2nd SSID & VLAN on the access point. If you could, this would be a lot easier.



  • @jknott What do mean by "filter page"?



  • @ronron555 said in Problems in address distribution in DHCP:

    @jknott What do mean by "filter page"?

    In pfSense, click on Firewall > Rules. It's where you create the rules to filter traffic.


  • LAYER 8 Global Moderator

    @itay1787 said in Problems in address distribution in DHCP:

    This pfsense is designed for school and I want to create a separation between the teachers and the students because of this i need lan (teachers) will have different rules and different ip addresses.

    This done via VLAN... PERIOD!!! If your AP does not support vlans, then get new AP that does.. Or just use different AP for each vlan.. Same goes for switches - you need vlan capable switches unless all of your clients are wireless.

    If what you want to do is allow different users to access different internet pages, this can be done with proxy, and or restrictions can be done with captive portal, etc.



  • I would do this one of two different ways: 2 separate physical interfaces, or 2 separate virtual interfaces.

    Put all teachers on one interface, put all students on the other interface. You can then DHCP and work with the pile of MAC & IP addresses all you want, for each interface. If you want traffic to cross-over from one interface to the other, simply write the proper firewall rules on pfsense.

    Do NOT use bridging.

    Jeff



  • @jknott Hey, after the new changes I made to pfsense on your advice it seems that the problem was gone, everything works great.
    There is only one problem - I have to block all "STUDENTS_Network" from "LAN"
    Meaning that they would have access only to the Internet and nothing else.
    Please look at the picture I attached.0_1548932951633_‏‏צילום מסך (73).png


  • LAYER 8 Global Moderator

    Where is this students network - I only see lan and admin_vlan

    Where is the students vlan?



  • @johnpoz There is no vlan. This is alias


  • LAYER 8 Netgate

    In that configuration any student who wants to can just set a static IP address on the teacher LAN and be on it.

    That is implementing almost no security at all. Or, worse, just an illusion of security.

    If that is a business requirement, someone is going to have to buy some gear that supports 802.1q. Or duplicate the layer 2 gear for two separate LANs with different router interfaces.



  • @derelict We know that VLANs will be much more secure
    But as soon as the network is built, it's the thing we found that will work. We may soon be switching AP. And with that happening, we'll make sure they have VLANs and replace everything with VLANs.

    But right now we have a problem with setting up one of the rules as I said above.


  • LAYER 8 Global Moderator

    You can not stop people on network A from talking to other people on network A... The firewall/router is NOT involved in these discussions.

    Why do you think we stated the only way to do this is with vlans.


  • LAYER 8 Netgate

    Because DHCP server is not designed to do that. It is designed to serve the interface subnet scope. You will probably have to use a different DHCP server.


  • LAYER 8 Global Moderator

    You can not build a network with junk ;) you need to either isolate your networks at the physical layer with different switches and AP for each network you want. Or you need switches and AP that support vlans - its that simple = PERIOD!



  • @johnpoz I thought so.
    So can not you just block one subnet from everyone ??
    And with not like it sounds we'll move on to VLANs faster than I thought.



  • @derelict We tried it. Did not work properly at all !!!!



  • @johnpoz Question: I have one switch which is the main and it supports VLANs Can I take out VLAN tagging. Then from AP (which is after some other "dumb" switches) will it work without affecting the rest of the network ??



  • @itay1787 said in Problems in address distribution in DHCP:

    @johnpoz Question: I have one switch which is the main and it supports VLANs Can I take out VLAN tagging. Then from AP (which is after some other "dumb" switches) will it work without affecting the rest of the network ??

    If you remove the VLAN tags, you'll not have VLANs. I assume you're asking if you can put the AP on just one VLAN? If so, yes. Assign an access port, on that managed switch to that VLAN and then connect the AP to it. The AP will then only connect to that one VLAN. Those dumb switches, between the AP and managed switch, will also be on that same VLAN. However, that means only one group can use WiFi.


  • LAYER 8 Global Moderator

    You can downstream dumb switches from a smart switch sure... And all devices connected to that dumb switch will be in vlan X that thet upstream smart switch puts that switch in.

    You can then use specific dumb AP and connect them to specific vlans depending on where you plug them in. Or if you want clients that are on different vlans to use the same AP then the AP needs to support vlans, and it needs to be connected to a switch that supports vlans.

    This can be done very cheaply depending on how many ports you need and how many wifi clients you have and how spread out you need your network to be. A 8 port smart switch can be had for like 40$ an AP that support AC and Vlans say the unifi AC-Lite model is like 70$



  • I mean if I can set up VLAN from a switch that supports it and set it in tagging and then take the VLAN tagging from the AP and the AP is connected to the dumb switch and it will not affect the devices that are connected to the other ports in the dumb switch

    Right? Because that's what vlan tagging should do.



  • VLAN tagging will pass through dumb switches. However, if your AP doesn't handle VLANs, which is what I thought you said, it wouldn't work. VLANs are just a way to logically separate networks. If you want an AP to support multiple SSIDs, which is necessary to separate users, then it must support VLANs. You'd also need VLAN support on pfSense or a managed switch to handle those VLANs.


  • LAYER 8 Global Moderator

    While it is possible to pass vlan tags across a dumb switch - since it doesn't understand the tags.. There will be no isolation on that switch... All broadcast will go over all ports no matter the vlan it is suppose it suppose to be in.

    Just because a dumb switch might not actually strip a tag, doesn't mean its good idea to run vlans over such a device...

    If your going to use vlans than all your devices should support vlans - other than you can leverage dumb switches that are access level switches where only clients in the same vlan will be connected, and the only vlan that will go to that end switch is in a specific vlan... Ie as a downstream switch from a smart switch.. But no other vlans should cross over that switch.



  • I will tell you what I want to do as best I can explain and you will tell me whether it will work or not. OK?

    1. All my AP supports VLANs and multiple SSIDs.
    2. I have a smart switch that is the first and the main. The rest are not smart switches.

    I want to pass a VLAN tagged from the main switch
    Will pass through the non-smart switches to the APs. Then the APs will take the VLAN tagged, without damaging the rest of the network. Will it work?


  • LAYER 8 Global Moderator

    Why do you have to pass the AP across the dumb switch? Connect it to the smart switch... If you need the switch as an extension for the run - pick up a 40$ smart switch to use and hang your dumb switch off that.

    Can you run the vlan tags across the dumb switch - more than likely they will not strip it... But what they will do since they do not understand vlans is all clients on this dumb switch will see all broadcast traffic from every vlan that cross over that switch. And any client on that dumb switch could just add a tag and join any vlan they want.

    It is NOT how you run a network!!!

    You might get away with this if your order of smart switches got delayed and you had to bring this up NOW or loose money because production is down and all you have is some dumb switch to use.. But this not how anyone who works in IT would do it... you might as well just run 1 flat network if this is how your going to run a network.



  • @johnpoz I can not replace all the non-smart switches there are too many such a network that literally size more than 300 stationary computers connected to it !!!



  • @itay1787 said in Problems in address distribution in DHCP:

    @johnpoz I can not replace all the non-smart switches there are too many such a network that literally size more than 300 stationary computers connected to it !!!

    I believe he suggested running a cable from the AP to managed switch. Is that not possible? How many APs are we talking about?



  • @jknott It really is not possible
    There are about 10 to 12 AP



  • @itay1787 said in Problems in address distribution in DHCP:

    @jknott It really is not possible
    There are about 10 to 12 AP

    Any chance you could have just the APs on a dumb switch?



  • @jknott said in Problems in address distribution in DHCP:

    VLAN tagging will pass through dumb switches.

    if you are lucky. more often they just vanish, or get corrupted.



  • @heper said in Problems in address distribution in DHCP:

    if you are lucky. more often they just vanish, or get corrupted.

    Any switch that does that is defective. A switch is supposed to pass any and all valid Ethernet frames. A valid Ethernet frame consists of destination & source MACS, payload and CRC. What distinguishes a VLAN frame from others is the contents of the Ethertype/length field. The VLAN tag is carried in the payload area and should not be touched by a switch. The exception being managed switches configured for VLANs, which create, forward and remove the VLAN frames. There is absolutely no reason why an unmanaged switch would handle a VLAN frame differently than any other. The only exception would be ancient gear that cannot handle Ethernet payloads greater than 1500 bytes. If you run into switches like that, then just reduce MTU to 1496 to avoid the problem.


Log in to reply