bug? DHCP client on interface A is receiving a 'router' option specified as static lease on interface B
-
Recently I noticed that one specific client was repeatably getting the wrong gateway ("gateway" in pfsense terminology, DHCP 'router' option) when connecting to a specific wifi network (call it "A") where DHCP is served by pfsense 2.7.2. Interface A has VLAN 5 and 192.168.5.0/24, with pfsense at 5.1. The client gets a pool address at 5.129 (this address is arbitrary at first, and then repeatable because pfsense will give the same IP to the same MAC again if it hasn't had to reassign it meantime). The client should receive the default gateway and DNS address of pfsense at 5.1. This has been working fine, used daily for years, and works today with all clients but one. I should say all MAC addresses but one. The problem client is an iPhone so it's easy to turn on/off randomized MAC. When I randomize, pfsense sends the correct DHCP information and the client works. When I use the actual MAC on the client, pfsense offers 5.129 and the correct DNS of 5.1, but it offers router 192.168.62.1. This is not even in the right subnet, so client has wrong gateway and no internet connection.
I know that pfsense is offering the wrong gateway because I traced packets (with the pfsense facility, then saved and inspected with wireshark) and looked at the DHCP offer and the ack packets, which explicity give 192.168.62.x as the router. The iPhone does not "like" getting a router out of the subnet which it can't reach, so it takes a while, but eventually accepts it. I did the trace to confirm that the wrong gateway wasn't somehow set manually on the client or somehow interjected by the wifi access point.
The pfsense DHCP server on Interface A is set to "allow all clients." There are some static IP assignments to other devices on this interface, but the client is NOT listed (not the native MAC nor any "private" / "locally adminstered" MAC).
The pfsense installation has another interface (call it interface "B") on VLAN 62 asociated with 192.168.62.0/24. It's not even accessible via wifi, currently (the access point doesn't know about this network or vlan). The DHCP server on interface B is set to "allow known clients from only this interface." The native MAC of the iPhone has a static entry here, without assigning an IP address (i.e., just giving permission to this MAC). The static entry assigns a gateway of 192.168.62.1. If I edit this static entry and change the gateway to 62.2, then the client gets 62.2. If I add a similar static entry on interface B with the private MAC of the iPhone, it will ALSO get the wrong gateway (I set 62.3 to ensure it was coming from this entry and not anywhere else). So the wrong gateways is not coming from an obsolete stale existing lease, it's coming from the static entry for that MAC on interface B.
Something is wrong with the hierarchy of defaults when generating a response to this client on interface A. The parameters of the static DHCP entry on interface B should never be involved with a response to the client on interface A (which is set to accept all clients).
I manually cleared all entries from /var/dhcpd/var/db/dhcpd.leases and restarted dhcpd, but behavior did not change (except clients now receive new usually different pool IP addresses).
I've used pfsense with VLANS and static leases for single- and multi-homed hosts for years, two sites/pfsense instances which communicate. I've carefully checked my config. But I'm posting here before submitting bug on redmine per pfsense manual guidance.
I have saved a copy of the whole pfsense config which exhibits this problem. Please advise: if anyone thinks this could somehow be a misconfiguration instead of a bug, please advise what I should check. I think I've given information sufficient to reproduce by others. If it seems like a bug, what further info would be helpful to provide in a bug report?