DHCP server and Firewall as static entry

JonathanLee · Jun 5, 2023, 2:45 PM

@Gertjan sorry I wrote this pretty late I guess I meant to say is it best practice to add a static entry for the firewall

johnpoz · Jun 5, 2023, 3:09 PM

@JonathanLee said in DHCP server and Firewall as static entry:

best practice to add a static entry for the firewall

No there should be no reason to, since unless the interface is a wan interface it wouldn't be dhcp anyway. Normal common best practice is the change your dhcp range to not include the IP used by pfsense in the first place.

If you are worried that your dhcp could in theory had out a duplicate for pfsense IP.. set yoru dhcp range to not include that.. For example if pfsense is .1, then set your range to .2 - .254

JonathanLee · Jun 5, 2023, 4:24 PM

@johnpoz thanks for the reply,

So far this is my configuration,

(subnet I am using)

(configured in DHCP server)

Addresses they are all statically assigned. I do not use any that are dynamically assigned from a pool. I try to limit this as the wifi system runs on 192.168.1.2 in bridge mode and relays the addresses.

(system uses bridge mode for wifi)

(auto configures with 192.168.1.1 as the gateway to get off network)

wifi uses timed access with static MAC also

This was my reason for thinking well maybe Squid needs to know the arp table entry, as I was having null errors on clam AV updates.

This was the first time I have seen it show no error on a update without having to do it multiple times,

@Gertjan I have it listed under the arp cache as permanent just like before without the static entry.

Does it matter or should I delete the entry? I was surprised to see that Clam AV no longer says NULL IP anymore when it updates.

johnpoz · Jun 5, 2023, 4:28 PM

@JonathanLee I don't use clamav so no idea what it use to do or does now for IP.

But if you are using a /27 then sure a range of .19-20 is pretty small for available IPs.. would allow you some IPs to set static. Setting a reservation for pfsense IP seems pointless to me, but it not going to "hurt" anything. Its never going to use it that is for sure - but hey if it makes it easier for you to read and know by looking at your reservations that IP is in use..

While I am all for proper sized segments.. it is also really common to just use a /24 for home or smb segments.. This easy allow for setting the 3rd octet for your different segments to know really easy without having to do any cidr math on which segment this IP is on ;)

There is plenty of space in the 192.168 range that using a /24 for each segment/vlan your going to setup allows for lots of vlans/segments..

No need to worry about running out of space, etc. And I also set the vlan ID to match the segment, for example my 192.168.4/24 - guess what ID that vlan has - 4 ;)

What drives me nuts is seeing use of say 10/8 or 192.168/16 - /27 seems a bit tight, but hey its your network if you want to use /27 go for it..

JonathanLee · Jun 5, 2023, 4:34 PM

@JonathanLee

Wifi I just changed to static

Just to confirm the DHCP server on the firewall should exclude a mac/ip mapping for the firewalls interface? I have deleted it. Thanks

johnpoz · Jun 5, 2023, 4:43 PM

@JonathanLee said in DHCP server and Firewall as static entry:

DHCP server on the firewall should exclude a mac/ip mapping for the firewalls interface?

Yes it is good practice to not include IPs your going to use statically on your network inside the range of your dhcp server.. I mean pfsense won't even let you set a reservation for an IP that is inside your dhcp scope.

If you do not include it in the range of IPs the dhpd can hand out, then it would be impossible for the dhcp server to hand out a duplicate.

But even you did include it, again unless you on purpose disable the ping check, the dhcpd pings an IP before it hands out a lease.. It should be almost impossible for it not to be able to ping its own IP address, so even if the range included the IP of pfsense - it should never hand it out.

But I see no need to set a range that excludes your pfsense IP, and also set as reservation (that is would never use) as well..

JonathanLee · Jun 5, 2023, 4:55 PM

@johnpoz "But I see no need to set a range that excludes your pfsense IP, and also set as reservation (that is would never use) as well.."

I was researching this to see if I could fix Squid Clam AV intermittent NULL ip error I was surprised it worked and showed with the green up check mark. Yes the Arp cache/table marks that mapping as permanent, I wonder if Squid had issues getting to it or something. I just thought last night test it, it's not gonna work but give it a go, and the thing went to green and recognized it inside of the mapping, after that I thought hmmm shouldn't that be blocked as it's the LAN interface of the firewall. Thanks for your reply

JonathanLee · Jun 6, 2023, 5:44 PM

after other tests the NULL issue with Squid still randomly occurs even with the static entry when testing further. System normalized

johnpoz · Jun 6, 2023, 5:48 PM

@JonathanLee because setting a reservation that would never be used does nothing as already stated

Why you thought it had anything to do with whatever you seeing clamav I have no idea

JonathanLee · Jun 6, 2023, 5:49 PM

@johnpoz I don't know :( I thought let me give it a try, that NULL IP thing is so random.