Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Confusion in understanding one of the "Deny unknown clients" setting

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 4 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • MwRUtexhhLVM
      MwRUtexhhLV
      last edited by MwRUtexhhLV

      In DHCP Server, there is Deny unknown clients setting. It is obvious what means by Allow all clients and Allow known clients from only this interface. I am having difficulty to understand the meaning of Allow known clients from any interface because it doesn't work the way I understand it.

      I defined a static mapping in LAN1 DHCP Server with ARP set, when I select Allow known clients from any interface in LAN2, and connect the client set on LAN1 to LAN2 ethernet port, it doesn't get any IP.

      Please teach me the meaning and use cases for this specific setting.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @MwRUtexhhLV
        last edited by johnpoz

        @MwRUtexhhLV said in Confusion in understanding one of the "Deny unknown clients" setting:

        with ARP set

        So your saying with that the mac can only point to that IP..

        staticarp.jpg

        Allow known clients from any interface, any DHCP client with a MAC address listed in a static mapping on any scope(s)/interface(s) will get an IP address

        I have not tested this recently - but last time I did it WAD.. But if you setup a static arp pair - even if your client got an IP from the dhcp scope on another one of your networks. how would it work? you have mac aa:bb:cc:00:00:01 with static arp set to 192.168.1.100 for example.. Even if it got 192.168.2.100 from another network.. It would be very problematic since aa:bb:cc:00:00:01 already points to 1.100, if you had aa:bb:cc:00:00:01 also pointing to 2.100 -- that could be an issue.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        MwRUtexhhLVM 1 Reply Last reply Reply Quote 1
        • MwRUtexhhLVM
          MwRUtexhhLV @johnpoz
          last edited by MwRUtexhhLV

          @johnpoz You are right, but I tried it disabling ARP, and it still creates an ARP in the ARP table. So still doesn't work without ARP.

          edit: So how does it supposed to work when you create a static IP entry on one DHCP server, you still provide an IP and a MAC with or without the ARP.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @MwRUtexhhLV
            last edited by johnpoz

            @MwRUtexhhLV said in Confusion in understanding one of the "Deny unknown clients" setting:

            and it still creates an ARP in the ARP table.

            Well it would - but is its static? If its not static when your device got an IP in some other network, then the arp entry would be updated to point the mac to the new address.

            edit: there is a big difference between a reservation hey give this mac this IP.. And creating a static arp entry for it.. That says this mac can only ever point to this IP..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            MwRUtexhhLVM 1 Reply Last reply Reply Quote 1
            • MwRUtexhhLVM
              MwRUtexhhLV @johnpoz
              last edited by MwRUtexhhLV

              @johnpoz So then for a MAC address to be able to get an IP from any interface I should set static IP for that MAC for every DHCP server? Edit: I want all IPs to be static in the system not automatic.

              The documentation says "Allow known clients from any interface, any DHCP client with a MAC address listed in a static mapping on any scope(s)/interface(s) will get an IP address." but it didn't in my tests, if I only assign static IP in the first interface. Maybe I did something wrong.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @MwRUtexhhLV
                last edited by johnpoz

                @MwRUtexhhLV so you want say mac aa:bb:cc:00:00:01 to get 192.168.1.100 when on network X, and for aa:bb:cc:00:00:01 to get 192.168.2.100 when on network Y.

                This would be via a reservation, but this works with all all or allow known..

                Normally if you would set allow known from any would be if you have say 192.168.1.100 reserved for network X, but if the client does move to network Y, you don't really care that it gets 2.42 as its address, etc. But if mac aa:bb:cc:00:00:02 which you do not know on any interface, if you have not set a reservation. then it wouldn't get an IP.

                What exactly are you wanting accomplish with messing with these settings.. You have clients that you don't want to get an IP? Why does just not allow any work, and setup whatever reservations you want for specific clients to get an IP and this can be on different networks so when on X gets 1.100, when on Y gets 2.100 for example.

                Happy to test what your trying to do exactly - but to do that need to understand what exactly your trying to accomplish

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                MwRUtexhhLVM 1 Reply Last reply Reply Quote 1
                • MwRUtexhhLVM
                  MwRUtexhhLV @johnpoz
                  last edited by MwRUtexhhLV

                  @johnpoz
                  Then with your explanation, I just think this statement is not very clear:

                  "Allow known clients from any interface, any DHCP client with a MAC address listed in a static mapping on any scope(s)/interface(s) will get an IP address."

                  It looks like it says if you set an interface as the above setting, when you change your device to that one, it will still get the same IP from the first DHCP, just because it was defined there. But in reality you have to define it in all interfaces as with your explanation.

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @MwRUtexhhLV
                    last edited by

                    @MwRUtexhhLV I get what you're saying, however, if the MAC address was assigned IP 10.0.0.4/24, gateway 10.0.0.1, and the network was 192.168.4.0/24, it couldn't communicate to 10.0.0.1 anyway because it's the wrong subnet.

                    If I had to completely guess, if you assign MAC1 on LAN and it gets connected to WIFI, pfSense will realize it's a valid MAC and give it an IP on WIFI?

                    We have used "Allow known clients from only this interface" which works well though that router has only LAN serving DHCP.

                    "Ignore denied clients rather than reject" is to prevent pfSense from repeatedly logging failures every few seconds. That seems to work decently well, though in the past I've come back later and it's logging those anyway.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote ๐Ÿ‘ helpful posts!

                    MwRUtexhhLVM 1 Reply Last reply Reply Quote 1
                    • MwRUtexhhLVM
                      MwRUtexhhLV @SteveITS
                      last edited by MwRUtexhhLV

                      @SteveITS @johnpoz

                      I just want to register the use cases of the setting to my brain, which gets confused easily with this setting. I think we need examples in the pfSense documentation so it becomes clear.

                      I really thank your efforts to help me to understand, but I still did not get it completely.

                      I do not try to accomplish a specific problem this time, just trying to see if I can solve a problem with this setting that I am not aware it could have been solved by setting this. Otherwise it stays there for years now for me... bugs me a lot.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        What I expect to happen here is exactly what is described for that setting:

                        If set to Allow known clients from any interface, any DHCP client with a MAC address listed in a static mapping on any scope(s)/interface(s) will get an IP address.
                        

                        It should allow clients using a MAC address that is defined on any interface. If it's on a different interface it can't get use that static lease so it should get an IP from the dynamic range in that subnet.

                        Setting static ARP would conflict here because that would always exist, preventing the client registering the MAC with an IP from any other subnet.

                        I will say this is a little used feature so it's possible there are bugs!

                        Steve

                        johnpozJ 1 Reply Last reply Reply Quote 1
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @stephenw10
                          last edited by johnpoz

                          @stephenw10 said in Confusion in understanding one of the "Deny unknown clients" setting:

                          I will say this is a little used feature

                          I would concur, most users would have little use for some of those modes.. I run my dhcp because I want my clients to get an IP ;) Not sure what specific scenario where you would want to block clients from getting an IP that you allowed to connect to your network in the first place.

                          I use reservations all the time, and have them set on pretty much every network other than my "guest" wifi network. Not saying the different modes don't have valid use cases..

                          But having a hard time coming up with some off the top of my head that would make sense for your typical home/smb network.. And when you move to a larger more enterprise type of network - I wouldn't expect the dhcp server on pfsense to not even be used for anything other than maybe some like guest wifi or something.

                          Settings say static arp is a specific thing that you would use if you worried about someone trying to spoof and IP, maybe to get past firewall rules, etc. Or you might set that to lower arps on the network in general.. But would really make more sense on the client side, or for example if you were doing say wol or something.. And need to have the mac, even though the device isn't actively talking on the network, etc.

                          I think there was something related to static arps in redmine recently where they were not being reloaded on reboot or something..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          S 1 Reply Last reply Reply Quote 1
                          • S
                            SteveITS Galactic Empire @johnpoz
                            last edited by

                            @johnpoz said in Confusion in understanding one of the "Deny unknown clients" setting:

                            Not sure what specific scenario where you would want to block clients from getting an IP that you allowed to connect to your network in the first place

                            I started answering this from the perspective of the original question but I think you're asking more in general? In our scenario we provide Internet to our building. We used to have tenants put in a static IP on their router but they have no idea how to do that and since COVID we're not always on site, so we use the "deny" (only this interface) option to only allow valid MACs to pick up their IP. And yes we also disconnect patch cables when not in use and control access/speed via firewall rules.

                            re: "from any interface" that's a bit more complex, but maybe an admin wants to allow their laptop to connect to the LAN and IOT and Management networks without bothering to set a static IP as it moves around.

                            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                            Upvote ๐Ÿ‘ helpful posts!

                            johnpozJ 1 Reply Last reply Reply Quote 2
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @SteveITS
                              last edited by

                              @SteveITS said in Confusion in understanding one of the "Deny unknown clients" setting:

                              We used to have tenants

                              While that seems like a very valid use case.. Thanks for a great example.. But that kind of puts you a bit above your typical home/smb sort of use don't you think ;)

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.