No free lease on fresh install
-
Hello,
I'm new here, I'm writing this post because I need some advices please.
I just installed one pfsense with a classic configuration (wan/lan).
For the wan : 10.0.1.0/24 ==> Static
For the lan 10.0.3.0/24I would like to activate the DHCP Server only if the Mac address match with the following characters : 52:52:CE:52
But before do it I enabled the DHCP server in order to test it, and sadly I'm stuck at this step... I have always the same message:
Aug 20 13:39:13dhcpd64273DHCPDISCOVER from 52:54:ce:52:09:76 via vtnet1: network 10.0.3.0/24: no free lease
Aug 20 13:40:36dhclient39164FAILThe dhcp.lease file is
# The format of this file is documented in the dhcpd.leases(5) manual page. # This lease file was written by isc-dhcp-4.4.2-P1 # authoring-byte-order entry is generated, DO NOT DELETE authoring-byte-order little-endian; server-duid "\000\001\000\001(\262E\254RT\316R\256\320";
The DHCPD.conf file is the following
option domain-name "lab.lan"; option ldap-server code 95 = text; option domain-search-list code 119 = text; option arch code 93 = unsigned integer 16; # RFC4578 default-lease-time 7200; max-lease-time 86400; log-facility local7; one-lease-per-client true; deny duplicates; update-conflict-detection false; authoritative; class "5254ce520101" { match if substring (hardware, 1, 6) = 52:54:ce:52:01:01; } class "s_lan" { match pick-first-value (option dhcp-client-identifier, hardware); } subnet 10.0.3.0 netmask 255.255.255.0 { pool { allow members of "5254ce520101"; deny unknown-clients; range 10.0.3.50 10.0.3.100; } option routers 10.0.3.1; option domain-name-servers 10.0.3.1; ping-check true; }
The Mac address is exactly the mac address of my computer, even if I remove this check, I do not have any offer from my DHCPServer.
On the client side : I have only one computer (W10, fresh install).
Do you have any clue please?
Thank you in advance,
-
@mickamickatchu
Can you show the dhcp config file , when you have disabled the check ?/Bingo
-
@mickamickatchu said in No free lease on fresh install:
DHCPDISCOVER from 52:54:ce:52:09:76 via vtnet1: network 10.0.3.0/24: no free lease
That's
52:54:ce:52:09:76
and the DHCP server wants
52:54:ce:52:01:01
so he refuses the give a lease ?
-
Hello @bingo600 Hello @Gertjan
Below the file
option domain-name "lab.lan"; option ldap-server code 95 = text; option domain-search-list code 119 = text; option arch code 93 = unsigned integer 16; # RFC4578 default-lease-time 7200; max-lease-time 86400; log-facility local7; one-lease-per-client true; deny duplicates; update-conflict-detection false; authoritative; class "s_lan" { match pick-first-value (option dhcp-client-identifier, hardware); } subnet 10.0.3.0 netmask 255.255.255.0 { pool { range 10.0.3.50 10.0.3.100; } option routers 10.0.3.1; option domain-name-servers 10.0.3.1; ping-check true; }
@Gertjan Good job, it's indeed an error on my side, but even if the mac address is equal I have the same error.
Oh I'm running these virtual machine on KVM (In case of. -
After a reboot, if I do not put any condition on the mac address I get one IP.
If I put any condition on the mac address i get nothing.
I did a wireshark on the PFSENSE while I'm asking a new IP on my client.
-
Edit: I didn't see your above post , before i wrote this post.
So now it works wo. MAC matching , and gives a DHCP IP.I expect the dhcp server to be ISC-DHCP , use of that is extensively documented on the net
/Bingo
*** Old Post
And the above config still give "No free leases" ?
That's strange ??Can you show the log ?
The first log said it received the request on interface vtnet1 (Kinda' gave away it was a VM) , is that IF your lan IF ?
/Bingo
-
Edit: now it's works if I remove the Mac Matching.. With it I didn't get any ip
@bingo600 Without any condition on the mac address, I got an IP.
If I put any condition on the mac address nothing works..Indeed, I used KVM:
- Wan => 10.0.1.0/24 => NAT.
- LAN => 10.0.3.0/24 => Isolated Network.
is it a problem if the pfsense is a vm?
-
@mickamickatchu said in No free lease on fresh install:
Edit: now it's works if I remove the Mac Matching.. With it I didn't get any ip
@bingo600 Without any condition on the mac address, I got an IP.
If I put any condition on the mac address nothing works..Indeed, I used KVM:
- Wan => 10.0.1.0/24 => NAT.
- LAN => 10.0.3.0/24 => Isolated Network.
is it a problem if the pfsense is a vm?
I would not expect the VM to cause this , as a "Unconditional config" hands out a DHCP address. That proves that the "network path" is ok.
Maybe someone more experienced in pfSense DHCP & Mac-matching could chime in ....
/Bingo
-
@mickamickatchu said in No free lease on fresh install:
52:52:CE:52
That is not a full mac address, if your trying to set a reservation? You would need the full mac..
Are you trying to only hand out mac if mac starts with that - and you don't care what the IP is? I believe that only uses first 3, not 4.. A screenshot of your dhcp server settings would be easier to read..
-
I think @MickaMickaTchu is working with this :
( but dono why he doesn't say so, and shows us instead the config files ...)
I do recall something about writing MAC partial strings for ISC DHCP server :
I know, this is old, very old, and can't tell if it's still a 'ISC' thing.
I do remember this one : https://forum.netgate.com/topic/90883/isc-dhcp-server-not-matching-partial-of-the-mac-address
-
Hello,
So Why I don't take a screenshot, and share directly the config file:
Because when I rode some topics, the persons asked for config file.
So I don't know what I must paste into.into this forum.Indeed I speak about the "Mac Allow" and based on the documentation : https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv4.html#mac-address-control
We can have partial mac address into this field.Below two captures of my configuration, if you need more tell me =)
Thank you for your help!
-
@mickamickatchu This could prob use some better wording in the docs and description.
But with your setting like that - unless you have a reservation set, the client will not get a lease.
You can use the mac access controls to allow deny for which clients get which IPs out of more than one pool, etc.
And I also believe used to control which can get a lease when you have deny unknown to allow.. But in your current config - yeah since there is no specific reservation set, you would not get a lease.
-
Oh I see, thank you,
So, if I understand well, my main problem is that I don't have any specific reservation set. But I will not be able to know the Mac address.
Actually, I have one interface but I plan to have two interfaces, and inside them I will don't know the mac address of the machines. I can set the beginning (like 52: 54: CE: 51) and I thought it was the solution to my problem but apparently no.
my objectif is to have a reservation range of IP for each interface. e.g: Lan 1 => 10.0.3.0/24, LAN2 => 10.0.4.0/24. At this step if I enable DHCP on LAN1 interface, a machine plugged to the LAN2 interface can get an IP from LAN1 DHCP
-
@mickamickatchu said in No free lease on fresh install:
At this step if I enable DHCP on LAN1 interface, a machine plugged to the LAN2 interface can get an IP from LAN1 DHCP
Well then your setup is broken.. And you don't actually have isolation between your networks. Your 2 networks should be either physically isolated, or isolated via vlans. There should be no way lan 1 interface would ever see a discovery from lan 2 network since they should be isolated at layer 2. And vise versa, 2 should never see discovery broadcasts from network 1
I have 8 different networks, all correctly isolated at layer 2.. dhcp on network A, never sees broadcast from any other network, etc. Trying to isolate devices by just using different IP space when they sit on the same network is not valid from a security point of view. You can isolate at layer 2 even if everything is virtual. You just need to setup your vitual network and how it connects to your physical network correctly to do so.