DHCP / ARP Table Issue



  • How can we set PFSense to only allow leases to be acquired by MAC addresses in the ARP table?

    Specifically do we need both of these checked:

    Deny unknown clients:
    If this is checked, only the clients defined below will get DHCP leases from this server.

    Enable Static ARP entries:
    Note: Only the machines listed below will be able to communicate with the firewall on this NIC.

    What is the difference between these two?

    Can we just the Range to zero addresses or it should be the full Available Range?

    If we do want to reserve a small range of addresses to be assigned without having to input a MAC, how would we do that? Is there a way to set these so that they have access to the internet but no access to internal resources?

    Thanks,
    Joel



  • @joel.baxter:

    Deny unknown clients:
    If this is checked, only the clients defined below will get DHCP leases from this server.

    This only affects the DHCP server.
    The pfSense will communicate with devices not on the list below.
    –> You can configure a device with a static IP and it still can use the pfSense to access the internet.

    @joel.baxter:

    Enable Static ARP entries:
    Note: Only the machines listed below will be able to communicate with the firewall on this NIC.

    Here you essentially write the ARP table by hand.
    Only devices on the list can communicate with the pfSense.
    If the device is not on the list it cannot access the internet even if the IP gateway configuration is correct.

    @joel.baxter:

    Can we just the Range to zero addresses or it should be the full Available Range?

    What do you want? Set the range of availlable DHCP-addresses to 0?
    I'm not sure if this works, but you can just set the range to the netID
    (example: subnet:192.168.0.0/24 pfSense 192.168.0.1/24
    DHCP-range start: 192.168.0.0, end 192.168.0.0)
    I dont know how this will behave, but you can enter it like this in the webGUI.

    @joel.baxter:

    If we do want to reserve a small range of addresses to be assigned without having to input a MAC, how would we do that? Is there a way to set these so that they have access to the internet but no access to internal resources?

    Just let the DHCP run.
    If you do this you cannot have the above two options.
    Why dont you add another interface for "guests"?
    You cannot control with the pfSense what within your network can access what.
    Traffic flowing only over the switch never reaches the firewall rules of the pfSense.


Log in to reply