Static IP - MAC mapping inside DHCP dynamic pool - how to?

Sergei_Shablovsky

Hi pfSense Gurus!

How to make possible static IP reservation for certain MACs INSIDE the DHCP dynamic pool ?

For example for simplifying administration & monitoring I need to giving certain equipment the IP that would be recognizable, I.e. 192.168.5.99, 5.88, 5.77, 5.66, 5.55, 5.44, 5.33, 5.22, 5.11, 5.199, 5.188, and forward... (18 devices totally for each “C” class net).

This for small organization's management & monitoring needs (easy to remember and keep documentation updates right), like hardcoding some equipment structure and prevent to installing something unwanted by other stuff members (or bad guys. However, sophisticated bad guy able to sniffing traffic by WireShark and imitate certain “legal” device MAC, but anyway this reservations is just another one step to avoid bad guy to be successful so quickly.)

P.S.
All solutions I able to read here on forum and on other places suggest that You need to REDUCE dynamic pool range and only after that create static mapping OUTSIDE of this pool. But as You May see from example, I need IP RESERVATION INSIDE DYNAMIC POOL (like in any cheap-crap router $20 cost ;)

Thank You all for detailed suggestions!

SteveITS

@sergei_shablovsky See https://docs.netgate.com/pfsense/en/latest/services/dhcp/mappings-in-pools.html...they do it that way because the software pfSense uses doesn't reserve the address.
"If the PC that normally has 192.168.0.25 is ever offline another device could be assigned 192.168.0.25.
...
As such, it is best to only make assignments outside the range/pool, and the GUI enforces this practice.

If assignments absolutely must be made inside the pool, and the risks involved are worth taking and want to do so anyway, the input validation check may be removed from the PHP file that drives the DHCP editor page. The details of this unsupported change are left out as an exercise for the reader."

Windows Server does it the complete other way, you need to make a reservation inside the address pool.

Sergei_Shablovsky

@steveits said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

@sergei_shablovsky See https://docs.netgate.com/pfsense/en/latest/services/dhcp/mappings-in-pools.html...they do it that way because the software pfSense uses doesn't reserve the address.
"If the PC that normally has 192.168.0.25 is ever offline another device could be assigned 192.168.0.25.
...
As such, it is best to only make assignments outside the range/pool, and the GUI enforces this practice.

If assignments absolutely must be made inside the pool, and the risks involved are worth taking and want to do so anyway, the input validation check may be removed from the PHP file that drives the DHCP editor page. The details of this unsupported change are left out as an exercise for the reader."

Windows Server does it the complete other way, you need to make a reservation inside the address pool.

Because of this pfSense behavior I try to find how to reserve (hardlink IP - MAC) IPs for certain equipment WITHOUT reducing address range.

johnpoz

@sergei_shablovsky you can always do multiple pools with dhcp..

So say your range is a /24, you could make a pool 2-100 for example and another pool that was 150-254 or something..

This would give you 101-149 that could be reserved "outside" the pools... You could get as granular as you wanted where you have pools that skip all sort of number that fall inside the /24 to allow for your specific IPs inside your range to be reserved "outside" pools.

https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv4.html#additional-pools

Sergei_Shablovsky

@johnpoz said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

@sergei_shablovsky you can always do multiple pools with dhcp..

So say your range is a /24, you could make a pool 2-100 for example and another pool that was 150-254 or something..

This would give you 101-149 that could be reserved "outside" the pools... You could get as granular as you wanted where you have pools that skip all sort of number that fall inside the /24 to allow for your specific IPs inside your range to be reserved "outside" pools.

https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv4.html#additional-pools

Thank You, Johnn for detailed explanation!

But how this help me to resolving my exactly case?

....for simplifying administration & monitoring I need to giving certain equipment the IP that would be recognizable, I.e. 192.168.5.99, 5.88, 5.77, 5.66, 5.55, 5.44, 5.33, 5.22, 5.11, 5.199, 5.188, and forward... (18 devices totally possible reserving by this manner for each “C” class net).

Walking by Your way (creating sub pools), I need manually create
5.2-5.10
5.12-5.21
5.23-5.32
5.34-5.43
5.45-5.54
5.56-5.65
5.67-5.76
5.78-5.87
5.89-5.98
...

• another 9 x sub pools
  ———
  Totally 18 sub pools.

Is this really great and only one solution?

johnpoz

@sergei_shablovsky said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

I need to giving certain equipment the IP that would be recognizable

You NEED too? Why does something need to have a .77 or .88 as its address, seems over complicated..

But if that is the sort of nonsense you want to do - have at it.. Why is .99 more "recognizable" than .72 ?

Is this really great and only one solution?

No - but seems like its the sort of over complicated solution you want to come up with.. Why not make your your pool .31 - 254?

Now you have .1 to 30 to use for your stuff you want to have a specific IP.. .1 being pfsense. Or use .2-220 or something and use 221 to 254 for stuff.. You trying to use .77, .88, .99 for your whatever equipment is not something I can say I have ever seen in some 30 years in the biz.. Common practice I have seen used countless companies is use either the first part or the last part of the range for statics or reservations.

The reason you might want to have a range in the middle is maybe you have devices that are in the range already, maybe they were on the last part of your /25 before, and now you want to expand the range to a /24 and let those static devices stay without having to reip them, etc.

Sergei_Shablovsky

@johnpoz said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

You NEED too? Why does something need to have a .77 or .88 as its address, seems over complicated..
But if that is the sort of nonsense you want to do - have at it.. Why is .99 more "recognizable" than .72 ?

ARE You serious? No joke?

The answer is very simple: because remembering the fact that all double digits IPs .99, .88, .77 etc are my equipment, nor guest of nor temporarily installed, etc... ARE PRETTY EASY.

Sergei_Shablovsky

@johnpoz said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

You trying to use .77, .88, .99 for your whatever equipment is not something I can say I have ever seen in some 30 years in the biz.. Common practice I have seen used countless companies is use either the first part or the last part of the range for statics or reservations.

With all my appreciation to Your knowledge and value here in community, but:

If You do not see some solution before (even with wide contacts and hundreds of installations), - not mean the solution is wrong or not have a reason.

Many peoples (even hi-educated Ingeneers with degrees) not thinking and analyzing, just doing like “googling for solution- copy solution - if working, go to next task or pub”. So, very possible that a You see a thousands of persons who “just copying nor thinking”.
And than we all see thousands of data leaking, DB hacking, etc... Just because even in a Enterprise sysadmins not thinking...

More than this, I pretty sure a You not see much sysadmins who make proper equipment and wires labeling with QRcodes (where one tap on iPad/iPhone open the sheet with all data about this equipment/ cable or open Augmented Reality plane, like this
Is this hard to implement - definitely NO. People just not thinking....

Another one example: see not too old the “Performing Out-of-Band Network Management” document from “US National Security Agency | Cybersecurity Information” and You able to see just horrific mistakes one even wrong/outdated decision. Why? Because no one seriously care. Even in this department someone “Pro” just copy/paste “old docs from Internet”... Again, people just no thinking...

Like only few people on this forum pay attention to rapidly growing of QUIC protocol implementing. And one day BOOM! And all here start to realizing that old-fasion filtration come close to the end, because more and more ISP implementing QUIC on their core, more and more mobile apps start to using QUIC, more web browsers come with QUIC enabled by default...

Back to topic: I STRONGLY SURE that remembering the fact that .99,.88,.77 “double numbers” are own company stable equipment ARE EASY that anything else.
(Because as SysAdmin I need to remembering also A LOT of other things...)

johnpoz

@sergei_shablovsky said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

fact that all double digits IPs .99, .88, .77 etc are my equipment

Which is nonsense - makes no sense at all to do something like that... Can say that 2-30 is your equipment, or 221-254 is your equipment.

Do what you want - just offering up how you can do what you ask, which is different pools...You don't like that solution - and you think its overcomplicated because you think your devices should be 88, 99, 77 etc.. Really?? Verse in all of them being in adjacency 10-20 for example.. Sorry that just makes zero sense to anybody but you.

I have a bunch of light bulbs on my iot network.. What makes more sense I should make the light bulbs IPs 11, 22, 33 or just say hey 2-30 are light bulbs.. If I get more lightbulbs I can easy just move the pool from being .31-254 to 41-254, and now can have 10 more light bulbs, etc.. Shotgunning IPs throughout your scope makes no sense.

Also have the switches on this iot network, so lightbulbs can be 2-30, and the little switches that turn on say the xmas tree or the lamp can be say 240-254 out of the /24

Now I know just from an IP what a device type, etc.. without having to shotgun assignments out of the 1-254 scope.

This is easy to adjust... You could use say .2-20 out of your scope for reservations, and 240-254 for Ips you assign statically on the device for example.

Another simple solution would be to just put these devices on their own vlan, and assign a small dhcp scope say .250-254, and then you have .2-249 for use in reservations for your equipment, etc. This way you can bring a device easy onto this vlan where it gets a dhcp address in the .250-254 range, and then you reserve its IP and it changes to something in the .2-249 range.

I am sorry but 11,22,33,44 for your devices you want to have a specific IP via reservation or static makes no sense at all..

If you don't want your devices to be on the ends of your scope.. Then create 2 scopes... where say .2-49 are dhcp, and .61-254 is another pool, and now you can use 50-60 for your devices, etc..

Now with your multiple pools and some mac defining, maybe all your phones are from same company and their macs start with aa:bb:cc so you can have them use the first pool, and get ips from 2-49, and your other user devices get Ips out of hte 61-254 pool, etc..

JKnott

@sergei_shablovsky said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

ARE You serious? No joke?
The answer is very simple: because remembering the fact that all double digits IPs .99, .88, .77 etc are my equipment, nor guest of nor temporarily installed, etc... ARE PRETTY EASY.

WTF?

That's nonsense. You create a pool and anything that's not in that pool is your equipment. For example, here the range .200 - .254 is the DHCP pool. Anything below 200 is my stuff. What could be easier than that?

It seems to me you're creating your own problem.

Sergei_Shablovsky

@jknott said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

WTF?

Please keep breath normally :)

That's nonsense. You create a pool and anything that's not in that pool is your equipment. For example, here the range .200 - .254 is the DHCP pool. Anything below 200 is my stuff. What could be easier than that?
It seems to me you're creating your own problem.

It seems You cannot read first question carefully: key moment are "small company/org" and "certain equipment/client".

This mean in conditions with:

• small amount of pfSense clients (in small company there are 10-50 IP's of human's iPads/iPhone's IPs);
• 10-15 IPs of some special equipment;

May be You happy to spending rest of the daytime to seek (or even keep in mind) which IPs is exactly for which equipment, but Im decently to busy for this.

Each small things that eliminate my work hours - good for me. Because a bunch of this "small things" lets me be free to keep attention on other more important things.

For me remembering that in all my datacenters
.11 mean Environment Monitoring Equipment
.33 mean PDU/CDU
.55 mean Cooling Unit
is much pretty easy.
But If You prefer to keep a lot of papers with notes, or doing netscan each time (to realize that .115 - is UPS, .120 - PDU, .124 - Environment, etc....) - this is Your manner to work.

P.S.
Outside of this topic, but:
If You so emotional and clever may be You have the answer that "Why Reboot and Halt System commands are still in Diagnostics but no in System pfSense WebGUI?"
Because Halt / Reboot ARE NOT FOR TESTING, ITS CORE ACTION ABOUT WHOLE SYSTEM !
May be this is also logical to You ? :)

NollipfSense

In my home office environment that's how I do it, create a pool for the cameras that's outside the pool range ex, pool 1 (2 - 20), pool2 (30 - 255)...cameras (21 - 29); so, they're in a pool outside the pool range.

JKnott

@sergei_shablovsky said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

For me remembering that in all my datacenters
.11 mean Environment Monitoring Equipment
.33 mean PDU/CDU
.55 mean Cooling Unit
is much pretty easy.

You can still do that by having them separate from the DHCP pool. Either way, you have to manually map a MAC to IP address, whether separate from the pool or mixed in.

JKnott

@sergei_shablovsky said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

Because Halt / Reboot ARE NOT FOR TESTING, ITS CORE ACTION ABOUT WHOLE SYSTEM !
May be this is also logical to You ?

Since I run Linux and not Windows, "reboot" is not part of my vocabulary.

Sergei_Shablovsky

@jknott said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

@sergei_shablovsky said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

Because Halt / Reboot ARE NOT FOR TESTING, ITS CORE ACTION ABOUT WHOLE SYSTEM !
May be this is also logical to You ?

Since I run Linux and not Windows, "reboot" is not part of my vocabulary.

I understand You joke. BTW personally I not using Win for work around 25y.

What about be serious and answering about my question regarding right place Reboot / Halt menu item ? :)

Sergei_Shablovsky

@jknott said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

@sergei_shablovsky said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

For me remembering that in all my datacenters
.11 mean Environment Monitoring Equipment
.33 mean PDU/CDU
.55 mean Cooling Unit
is much pretty easy.

You can still do that by having them separate from the DHCP pool. Either way, you have to manually map a MAC to IP address, whether separate from the pool or mixed in.

So, You just repeat the @johnpos answer. No any new info.

JKnott

@sergei_shablovsky said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

What about be serious and answering about my question regarding right place Reboot / Halt menu item ? :)

You mean this question?

"Why Reboot and Halt System commands are still in Diagnostics but no in System pfSense WebGUI?"

Rebooting & halting are not something you normally do with routers. You just let them run 24/7. As far as I can tell, you normally reboot pfSense with an update and not much else. When needed, instead of rebooting, you can just restart some service, just like with Linux. So, you don't need them right up front, as they are in Windows. I suppose Diagnostics was the most logical place for them.

From my pfSense:

/root: uptime
2:42PM up 87 days, 23:34, 3 users, load averages: 0.01, 0.04, 0.00

It was powered down only because I was moving stuff around here.

JKnott

@sergei_shablovsky said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

So, You just repeat the @johnpos answer. No any new info.

I think the point we're both making is we don't understand your reason for doing what you want. It doesn't make sense.

Sergei_Shablovsky

@johnpoz said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

@sergei_shablovsky said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

fact that all double digits IPs .99, .88, .77 etc are my equipment

Which is nonsense - makes no sense at all to do something like that... Can say that 2-30 is your equipment, or 221-254 is your equipment.

Do what you want - just offering up how you can do what you ask, which is different pools...You don't like that solution - and you think its overcomplicated because you think your devices should be 88, 99, 77 etc.. Really?? Verse in all of them being in adjacency 10-20 for example.. Sorry that just makes zero sense to anybody but you.

I have a bunch of light bulbs on my iot network.. What makes more sense I should make the light bulbs IPs 11, 22, 33 or just say hey 2-30 are light bulbs.. If I get more lightbulbs I can easy just move the pool from being .31-254 to 41-254, and now can have 10 more light bulbs, etc.. Shotgunning IPs throughout your scope makes no sense.

Also have the switches on this iot network, so lightbulbs can be 2-30, and the little switches that turn on say the xmas tree or the lamp can be say 240-254 out of the /24

Now I know just from an IP what a device type, etc.. without having to shotgun assignments out of the 1-254 scope.

This is easy to adjust... You could use say .2-20 out of your scope for reservations, and 240-254 for Ips you assign statically on the device for example.

Another simple solution would be to just put these devices on their own vlan, and assign a small dhcp scope say .250-254, and then you have .2-249 for use in reservations for your equipment, etc. This way you can bring a device easy onto this vlan where it gets a dhcp address in the .250-254 range, and then you reserve its IP and it changes to something in the .2-249 range.

I am sorry but 11,22,33,44 for your devices you want to have a specific IP via reservation or static makes no sense at all..

If you don't want your devices to be on the ends of your scope.. Then create 2 scopes... where say .2-49 are dhcp, and .61-254 is another pool, and now you can use 50-60 for your devices, etc..

Now with your multiple pools and some mac defining, maybe all your phones are from same company and their macs start with aa:bb:cc so you can have them use the first pool, and get ips from 2-49, and your other user devices get Ips out of hte 61-254 pool, etc..

I carefully read again one time Your answer. So another one idea come to my head:

Switching DHCP off on interface for local lans that have once-installed (and rarely changed) set of equipment ?

For example CDU/PDU installed inside racks once and added/changed 1 time / 5 year or less. (Ok, sometimes we need something to repair and put off shelf some hot-spare unit for temporarily replace).
The same situation for Cooling, Environment Monitoring devices, Security Cameras & Recorders, rack doors locks, movie & sound sensors...

Sounds reasonably. Even the table MAC-IP would be 150-200 rows.

What You say about this?

Sergei_Shablovsky

@jknott said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

@sergei_shablovsky said in Static IP - MAC mapping inside DHCP dynamic pool - how to?:

So, You just repeat the @johnpos answer. No any new info.

I think the point we're both making is we don't understand your reason for doing what you want. It doesn't make sense.

May be You are right. please see my last reply to @johnpoz