MAC Allow address feature not working

bp

I struggle with utilizing the MAC Allow feature in the DCHP server setup on an XG-7100U with 2.4.5-RELEASE-p1 (amd64)

Here is the use case, I want to group devices from the same manufacturer within a certain IP address block. As such, I created multiple address pools with specific MAC allow entries.

The MAC inclusion list follows exactly the pfSense documentation (List of partial MAC addresses to allow, comma-separated, no spaces, e.g.: 00:00:00,01:E5:FF) https://docs.netgate.com/pfsense/en/latest/dhcp/dhcp-server.html

Yet, the address assignment is a total hit and miss, and devices in the MAC Allowed list are getting addresses assigned from different pools (the pools are large enough to accommodate more devices than currently on the network).
https://drive.google.com/file/d/1VMKDC1xBrFQbCvd2dcKb2Xo3WzlTagfv/view?usp=sharing

I finally looked at the DHCP configuration file. Not sure if I understand the logic correctly. Does it probe for 3 elements/tokens or 3 characters? If it is the latter the logic will never catch the 8 character MAC prefix. Can anybody from Netgate confirm?

jimp

To ensure they only pull from one pool, you must allow them in that one pool -- which excludes all others from using that pool -- and also deny them from other pools.

So you have to do two things:

• Add the MACs to allow in each pool -- which you have done
• Add the MACs to the deny list for all other pools they shouldn't use (if all pools have allow lists, then you only need to add them to the deny list for the main server, not the other pools)

bp

Thanks @jimpm - I will tray that later.

From a logical perspective, I am not sure though why would the DHCP require inclusion and exclusion for the same rule? If the MAC is in the inclusion list and the "deny clients by default" is checked it should not require to maintain the exclusion list in parallel.

As some OEM's like Amazon and Apple have dozens of MAC prefixes assigned this generates huge arrays that need to be loaded and checked against in a slow if/then/else logic just to confirm the obvious that the device is not in the inclusion list?

jimp

The "allow" rules exclude all others, the "deny" rules allow all others implicitly.

You might want both if you want to allow some devices from AA:BB:CC but exclude AA:BB:CC:DD.

That isn't what I said, though, what you want is:

Main DHCP Server:

• Deny MAC <all of your MAC prefixes you want to force to pools>

Each other pool:

• Allow MAC <just the prefixes you want>

bp

The allow/deny scenarios make sense, didn't occur to me in the first place - appreciate the explanation.
Took a few attempts but finally worked as desired. Thank you for the help, @jimp!