Confusion in understanding one of the "Deny unknown clients" setting

MwRUtexhhLV

In DHCP Server, there is Deny unknown clients setting. It is obvious what means by Allow all clients and Allow known clients from only this interface. I am having difficulty to understand the meaning of Allow known clients from any interface because it doesn't work the way I understand it.

I defined a static mapping in LAN1 DHCP Server with ARP set, when I select Allow known clients from any interface in LAN2, and connect the client set on LAN1 to LAN2 ethernet port, it doesn't get any IP.

Please teach me the meaning and use cases for this specific setting.

johnpoz

@MwRUtexhhLV said in Confusion in understanding one of the "Deny unknown clients" setting:

with ARP set

So your saying with that the mac can only point to that IP..

Allow known clients from any interface, any DHCP client with a MAC address listed in a static mapping on any scope(s)/interface(s) will get an IP address

I have not tested this recently - but last time I did it WAD.. But if you setup a static arp pair - even if your client got an IP from the dhcp scope on another one of your networks. how would it work? you have mac aa:bb:cc:00:00:01 with static arp set to 192.168.1.100 for example.. Even if it got 192.168.2.100 from another network.. It would be very problematic since aa:bb:cc:00:00:01 already points to 1.100, if you had aa:bb:cc:00:00:01 also pointing to 2.100 -- that could be an issue.

MwRUtexhhLV

@johnpoz You are right, but I tried it disabling ARP, and it still creates an ARP in the ARP table. So still doesn't work without ARP.

edit: So how does it supposed to work when you create a static IP entry on one DHCP server, you still provide an IP and a MAC with or without the ARP.

johnpoz

@MwRUtexhhLV said in Confusion in understanding one of the "Deny unknown clients" setting:

and it still creates an ARP in the ARP table.

Well it would - but is its static? If its not static when your device got an IP in some other network, then the arp entry would be updated to point the mac to the new address.

edit: there is a big difference between a reservation hey give this mac this IP.. And creating a static arp entry for it.. That says this mac can only ever point to this IP..

MwRUtexhhLV

@johnpoz So then for a MAC address to be able to get an IP from any interface I should set static IP for that MAC for every DHCP server? Edit: I want all IPs to be static in the system not automatic.

The documentation says "Allow known clients from any interface, any DHCP client with a MAC address listed in a static mapping on any scope(s)/interface(s) will get an IP address." but it didn't in my tests, if I only assign static IP in the first interface. Maybe I did something wrong.

johnpoz

@MwRUtexhhLV so you want say mac aa:bb:cc:00:00:01 to get 192.168.1.100 when on network X, and for aa:bb:cc:00:00:01 to get 192.168.2.100 when on network Y.

This would be via a reservation, but this works with all all or allow known..

Normally if you would set allow known from any would be if you have say 192.168.1.100 reserved for network X, but if the client does move to network Y, you don't really care that it gets 2.42 as its address, etc. But if mac aa:bb:cc:00:00:02 which you do not know on any interface, if you have not set a reservation. then it wouldn't get an IP.

What exactly are you wanting accomplish with messing with these settings.. You have clients that you don't want to get an IP? Why does just not allow any work, and setup whatever reservations you want for specific clients to get an IP and this can be on different networks so when on X gets 1.100, when on Y gets 2.100 for example.

Happy to test what your trying to do exactly - but to do that need to understand what exactly your trying to accomplish

MwRUtexhhLV

@johnpoz
Then with your explanation, I just think this statement is not very clear:

"Allow known clients from any interface, any DHCP client with a MAC address listed in a static mapping on any scope(s)/interface(s) will get an IP address."

It looks like it says if you set an interface as the above setting, when you change your device to that one, it will still get the same IP from the first DHCP, just because it was defined there. But in reality you have to define it in all interfaces as with your explanation.

SteveITS

@MwRUtexhhLV I get what you're saying, however, if the MAC address was assigned IP 10.0.0.4/24, gateway 10.0.0.1, and the network was 192.168.4.0/24, it couldn't communicate to 10.0.0.1 anyway because it's the wrong subnet.

If I had to completely guess, if you assign MAC1 on LAN and it gets connected to WIFI, pfSense will realize it's a valid MAC and give it an IP on WIFI?

We have used "Allow known clients from only this interface" which works well though that router has only LAN serving DHCP.

"Ignore denied clients rather than reject" is to prevent pfSense from repeatedly logging failures every few seconds. That seems to work decently well, though in the past I've come back later and it's logging those anyway.

MwRUtexhhLV

@SteveITS @johnpoz

I just want to register the use cases of the setting to my brain, which gets confused easily with this setting. I think we need examples in the pfSense documentation so it becomes clear.

I really thank your efforts to help me to understand, but I still did not get it completely.

I do not try to accomplish a specific problem this time, just trying to see if I can solve a problem with this setting that I am not aware it could have been solved by setting this. Otherwise it stays there for years now for me... bugs me a lot.

stephenw10

What I expect to happen here is exactly what is described for that setting:

If set to Allow known clients from any interface, any DHCP client with a MAC address listed in a static mapping on any scope(s)/interface(s) will get an IP address.

It should allow clients using a MAC address that is defined on any interface. If it's on a different interface it can't get use that static lease so it should get an IP from the dynamic range in that subnet.

Setting static ARP would conflict here because that would always exist, preventing the client registering the MAC with an IP from any other subnet.

I will say this is a little used feature so it's possible there are bugs!

Steve

johnpoz

@stephenw10 said in Confusion in understanding one of the "Deny unknown clients" setting:

I will say this is a little used feature

I would concur, most users would have little use for some of those modes.. I run my dhcp because I want my clients to get an IP ;) Not sure what specific scenario where you would want to block clients from getting an IP that you allowed to connect to your network in the first place.

I use reservations all the time, and have them set on pretty much every network other than my "guest" wifi network. Not saying the different modes don't have valid use cases..

But having a hard time coming up with some off the top of my head that would make sense for your typical home/smb network.. And when you move to a larger more enterprise type of network - I wouldn't expect the dhcp server on pfsense to not even be used for anything other than maybe some like guest wifi or something.

Settings say static arp is a specific thing that you would use if you worried about someone trying to spoof and IP, maybe to get past firewall rules, etc. Or you might set that to lower arps on the network in general.. But would really make more sense on the client side, or for example if you were doing say wol or something.. And need to have the mac, even though the device isn't actively talking on the network, etc.

I think there was something related to static arps in redmine recently where they were not being reloaded on reboot or something..

SteveITS

@johnpoz said in Confusion in understanding one of the "Deny unknown clients" setting:

Not sure what specific scenario where you would want to block clients from getting an IP that you allowed to connect to your network in the first place

I started answering this from the perspective of the original question but I think you're asking more in general? In our scenario we provide Internet to our building. We used to have tenants put in a static IP on their router but they have no idea how to do that and since COVID we're not always on site, so we use the "deny" (only this interface) option to only allow valid MACs to pick up their IP. And yes we also disconnect patch cables when not in use and control access/speed via firewall rules.

re: "from any interface" that's a bit more complex, but maybe an admin wants to allow their laptop to connect to the LAN and IOT and Management networks without bothering to set a static IP as it moves around.

johnpoz

@SteveITS said in Confusion in understanding one of the "Deny unknown clients" setting:

We used to have tenants

While that seems like a very valid use case.. Thanks for a great example.. But that kind of puts you a bit above your typical home/smb sort of use don't you think ;)