• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

MAC Allow address feature not working

Scheduled Pinned Locked Moved DHCP and DNS
5 Posts 2 Posters 1.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    bp
    last edited by bp Jul 30, 2020, 8:26 PM Jul 30, 2020, 8:09 PM

    I struggle with utilizing the MAC Allow feature in the DCHP server setup on an XG-7100U with 2.4.5-RELEASE-p1 (amd64)

    Here is the use case, I want to group devices from the same manufacturer within a certain IP address block. As such, I created multiple address pools with specific MAC allow entries.
    Pool

    The MAC inclusion list follows exactly the pfSense documentation (List of partial MAC addresses to allow, comma-separated, no spaces, e.g.: 00:00:00,01:E5:FF) https://docs.netgate.com/pfsense/en/latest/dhcp/dhcp-server.html
    MAC Allow list

    Yet, the address assignment is a total hit and miss, and devices in the MAC Allowed list are getting addresses assigned from different pools (the pools are large enough to accommodate more devices than currently on the network).
    https://drive.google.com/file/d/1VMKDC1xBrFQbCvd2dcKb2Xo3WzlTagfv/view?usp=sharing

    I finally looked at the DHCP configuration file. Not sure if I understand the logic correctly. Does it probe for 3 elements/tokens or 3 characters? If it is the latter the logic will never catch the 8 character MAC prefix. Can anybody from Netgate confirm?
    DHCP config

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by jimp Jul 31, 2020, 1:46 PM Jul 31, 2020, 1:45 PM

      To ensure they only pull from one pool, you must allow them in that one pool -- which excludes all others from using that pool -- and also deny them from other pools.

      So you have to do two things:

      • Add the MACs to allow in each pool -- which you have done
      • Add the MACs to the deny list for all other pools they shouldn't use (if all pools have allow lists, then you only need to add them to the deny list for the main server, not the other pools)

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      B 1 Reply Last reply Jul 31, 2020, 3:43 PM Reply Quote 0
      • B
        bp @jimp
        last edited by bp Jul 31, 2020, 3:44 PM Jul 31, 2020, 3:43 PM

        Thanks @jimpm - I will tray that later.

        From a logical perspective, I am not sure though why would the DHCP require inclusion and exclusion for the same rule? If the MAC is in the inclusion list and the "deny clients by default" is checked it should not require to maintain the exclusion list in parallel.

        As some OEM's like Amazon and Apple have dozens of MAC prefixes assigned this generates huge arrays that need to be loaded and checked against in a slow if/then/else logic just to confirm the obvious that the device is not in the inclusion list?

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Jul 31, 2020, 3:54 PM

          The "allow" rules exclude all others, the "deny" rules allow all others implicitly.

          You might want both if you want to allow some devices from AA:BB:CC but exclude AA:BB:CC:DD.

          That isn't what I said, though, what you want is:

          Main DHCP Server:

          • Deny MAC <all of your MAC prefixes you want to force to pools>

          Each other pool:

          • Allow MAC <just the prefixes you want>

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          B 1 Reply Last reply Aug 6, 2020, 6:46 AM Reply Quote 1
          • B
            bp @jimp
            last edited by Aug 6, 2020, 6:46 AM

            The allow/deny scenarios make sense, didn't occur to me in the first place - appreciate the explanation.
            Took a few attempts but finally worked as desired. Thank you for the help, @jimp!

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received