DHCP Static mappings seem to be used by all DHCP scopes on all interfaces
-
Hi All, I'm not sure that title makes sense but I'll try and explain...
We have a PFSense with 2 LAN sub interfaces (VLAN101 & VLAN102) assigned to two different vlan's (101 & 102)
We then have two DHCP scopes assigned as follows;
One is assigned to interface VLAN101
Scope Range: 10.0.1.10 - 10.0.1.254
"Deny unknown clients - Only the clients defined below will get DHCP leases from this server." option is checked.
There are a list of MAC addresses (different from VLAN102) for known devices then added to this scope.The other assigned to interface VLAN102.
Scope Range: 10.0.2.10 - 10.0.2.254
"Deny unknown clients - Only the clients defined below will get DHCP leases from this server." option is checked.
There are a list of MAC addresses (different from VLAN101) for known devices then added to this scope.Our Wifi uses VLAN 101 for SSID (PRIVATE) and VLAN 102 for SSID (PUBLIC)
Today I noticed that i was able to connect my mobile phone to the PUBLIC wifi and get a 10.0.2.20 IP address even though the MAC address of my phone wasn't listed under VLAN102 on PFSense.
I tried the same thing with a Laptop and was unable to get an IP address. I then added the Laptop's MAC address to VLAN101, tried again to connect to the PUBLIC wifi (VLAN102) and was able to get 10.0.2.20 IP address.
It seems that the MAC address list is being applied to both DHCP scopes regardless of where it is set up.
Can anyone shed any light on what we've got configured incorrectly?
-
WAD..
Your mac is known, so its allowed to get a IP.
-
yes my MAC is known but on a completely different VLAN
-
But its a shared list, this has been brought up a few times over the years... It has always been this way.. Wording could be better I guess to state that better.
Here this is where it came up back in 2016 ;)
https://forum.netgate.com/topic/108021/deny-unknown-clients-brokeAs mentioned in that thread.
"If you want to restrict by MAC per interface, use the MAC allow or deny boxes and not "deny unknown clients"."edit: From this looks like if you run 2.5 you can use sub classes and works how you want it to work
https://redmine.pfsense.org/issues/1605 -
Oh right, well how strange our old Netgate used to work in exactly this way.
i.e. I thought that was the reason for having separate lists under each Scope I can't think of another reason for having separate lists. I presume this is a bug?
I can't believe it's supposed to be like that...
I see the MAC address control option.... but that's not quite what I'm expecting. The lists provide a way of assigning DHCP reservations as far as I understand it.
If I do this on a Windows box it works exactly like this and as I say the way the PFSense gui displays would lead you to believe that is exactly how it should work... I'll check out your link... thanks for your help. -
I mean... "DHCP Static Mappings for this Interface" would lead you to believe that wouldn't it? If i go to the other scope and scroll down to the DHCP Static Mappings for this interface I get a completely different list, yet they all seem to be able to get IP addresses regardless....
-
I hear yeah ;) Did you read the old thread, and the redmine? If you want it to work that way - upgrade to 2.5.. Or just use the other method.
-
Well that is officially very odd... After much fiddling.. enabling static ARP, disabling static ARP, restarting the service and so on... I discovered that our WiFi voucher system had also stopped working. The solution to that was to uncheck the only allow users listed below access.. which would sort of indicate that the option was now working.... I think an upgrade to 2.5 when it's officially stable might be a good idea in any case... thanks for your help.