Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    MAC Allow address feature not working

    Scheduled Pinned Locked Moved DHCP and DNS
    5 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bpB
      bp
      last edited by bp

      I struggle with utilizing the MAC Allow feature in the DCHP server setup on an XG-7100U with 2.4.5-RELEASE-p1 (amd64)

      Here is the use case, I want to group devices from the same manufacturer within a certain IP address block. As such, I created multiple address pools with specific MAC allow entries.
      Pool

      The MAC inclusion list follows exactly the pfSense documentation (List of partial MAC addresses to allow, comma-separated, no spaces, e.g.: 00:00:00,01:E5:FF) https://docs.netgate.com/pfsense/en/latest/dhcp/dhcp-server.html
      MAC Allow list

      Yet, the address assignment is a total hit and miss, and devices in the MAC Allowed list are getting addresses assigned from different pools (the pools are large enough to accommodate more devices than currently on the network).
      https://drive.google.com/file/d/1VMKDC1xBrFQbCvd2dcKb2Xo3WzlTagfv/view?usp=sharing

      I finally looked at the DHCP configuration file. Not sure if I understand the logic correctly. Does it probe for 3 elements/tokens or 3 characters? If it is the latter the logic will never catch the 8 character MAC prefix. Can anybody from Netgate confirm?
      DHCP config

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by jimp

        To ensure they only pull from one pool, you must allow them in that one pool -- which excludes all others from using that pool -- and also deny them from other pools.

        So you have to do two things:

        • Add the MACs to allow in each pool -- which you have done
        • Add the MACs to the deny list for all other pools they shouldn't use (if all pools have allow lists, then you only need to add them to the deny list for the main server, not the other pools)

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        bpB 1 Reply Last reply Reply Quote 0
        • bpB
          bp @jimp
          last edited by bp

          Thanks @jimpm - I will tray that later.

          From a logical perspective, I am not sure though why would the DHCP require inclusion and exclusion for the same rule? If the MAC is in the inclusion list and the "deny clients by default" is checked it should not require to maintain the exclusion list in parallel.

          As some OEM's like Amazon and Apple have dozens of MAC prefixes assigned this generates huge arrays that need to be loaded and checked against in a slow if/then/else logic just to confirm the obvious that the device is not in the inclusion list?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            The "allow" rules exclude all others, the "deny" rules allow all others implicitly.

            You might want both if you want to allow some devices from AA:BB:CC but exclude AA:BB:CC:DD.

            That isn't what I said, though, what you want is:

            Main DHCP Server:

            • Deny MAC <all of your MAC prefixes you want to force to pools>

            Each other pool:

            • Allow MAC <just the prefixes you want>

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            bpB 1 Reply Last reply Reply Quote 1
            • bpB
              bp @jimp
              last edited by

              The allow/deny scenarios make sense, didn't occur to me in the first place - appreciate the explanation.
              Took a few attempts but finally worked as desired. Thank you for the help, @jimp!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.