DHCP server listens on all IPs
-
I am using pfSense 2.5.2.
I have two LAN interfaces and I would like to run ISC DHCP on one and FreeRADIUS DHCP on another. To that end, I configured the DHCP tab as shown below:
However, when I check the socket status, I get this:
[2.5.2-RELEASE][root@pfSense.home.arpa]/root: sockstat | grep dhcpd dhcpd dhcpd 73931 3 dgram -> /var/dhcpd/var/run/log dhcpd dhcpd 73931 8 udp4 *:67 *:* dhcpd dhcpd 73931 11 stream /var/run/php-fpm.socket dhcpd dhcpd 73931 12 stream /var/run/php-fpm.socket root syslogd 26720 6 dgram /var/dhcpd/var/run/logWhich suggests that turning DHCP server on one interface turns it on on all. Is this a bug or am I doing something wrong?
-
I don't know the "inners" of the pfSense dhcp setup.
But why do you care if the DHCP server listens on all interfaces, as long as it does NOT hand out DHCP ip addresses on the disabled interfaces (Non matching scopes)?
/Bingo
-
@bingo600 said in DHCP server listens on all IPs:
But why do you care if the DHCP server listens on all interfaces, as long as it does NOT hand out DHCP ip addresses on the disabled interfaces (Non matching scopes)?
Because I would like to run FreeRADIUS's DHCP server on one and only one of the interfaces. FreeRADIUS complains when the socket is already bound.
I could run FreeRADIUS DHCP on all interfaces, but I would like to implement different logic for each. There is also the extra issue of FreeBSD not supporting binding to interface names, but only IP addresses, so it runs in unicast DHCP mode only, which means I will have to use some sort of DHCP relay if I use FreeRADIUS DHCP. However, pfSense's DHCP relay functionality won't allow me to relay the request to a non-default port, which is another complication.
The problem is that there some rogue users on site that run automatic IP changing software on their devices. Of course, it only makes sense that such software is designed to move to an unused IP address to avoid and IP conflict, but still we don't want them to do that. Also imagine what would happen if the DHCP server leased an IP address to a device that is already using it.
Currently I can allocate multiple MAC addresses to a user, and they can't log in with a different one. I know I can also issue each registered device its own IP address, but without some sort of DHCP server running on the relevant LAN interface, they will have to configure their IP settings manually.
What I want to achieve is to configure pfSense and FreeRADIUS so that users will be able to use their registered devices using only the IP addresses assigned to those devices.
I have set up a test site in my home lab and I am ready and willing to try new ideas.
-
I see the issue.
And the DHCP forwarder won't work if the DHCP server is active.If i had that issue , I'd prob. end up running the specific DHCP & FreeRadius on a separate server , and connect that to the specific L2 Lan.
Might not be optimal if the site is remote with just a pfSense present.
/Bingo
-
@bingo600 said in DHCP server listens on all IPs:
If i had that issue , I'd prob. end up running the specific DHCP & FreeRadius on a separate server , and connect that to the specific L2 Lan.
Or even better, get hold of an old laptop, install Debian on it and move FreeRADIUS and other utilities to that one. I can't think of anything else right now. What would you recommend?
-
@scilek said in DHCP server listens on all IPs:
@bingo600 said in DHCP server listens on all IPs:
If i had that issue , I'd prob. end up running the specific DHCP & FreeRadius on a separate server , and connect that to the specific L2 Lan.
Or even better, get hold of an old laptop, install Debian on it and move FreeRADIUS and other utilities to that one. I can't think of anything else right now. What would you recommend?
That was what i meant with "server"
A raspberry-pi could do it , but i'd not use such a "beast" for production , primarily due to the SD card.
If it had M2 or EMMC yes , but SD in a prod environment ... Naah./Bingo