Do you use dhcp reservations?

Epimpin

@coxhaus
Well it all starts with having a good understanding of what a mac address consists of. For instance, the first 6 digits(3 octets) tell you who manufacures the device and when and is called an OUI.

I have a locally stored OUI database installed in my auth scheme and I have ACL'S that block any device made by Huawei for instance and sends them to a walled garden with a message regarding Huawei devices with specific information.

You should know what type of devices you should expect on your network. With some simple network automation you don't have to "chase" mac addresses.

Then for things like switch to switch communications in your core, you should only ever see mac addresses of the neighboring switch. It doesn't have to be hard.

The dhcp reservations work well for allowing my roaming clients in my wireless networks to maintain a consistent connection and also allows my gigamon boxes to assign an identifier and gives good deduplication and solid subscriber tracking and less logging without having to implement a complex gtp/gprs configuration.

It works for me.

coxhaus

@Epimpin
I am glad it works for you. If you work on a network with 4 or 5 thousand PCs plus devices you are not going to be able to do that and do your job.

You are building a structure that is going to be limited.

JonathanLee

@coxhaus the reservations is more for tracking specific devices and or needs. Smaller networks yes it’s ok, but for thousands it gets harder to keep track of. A way around this is to set the dhcp pool lease timers really high so devices get the same IP address each time.

coxhaus

@JonathanLee
Plus using long DHCP lease times reduces your broadcast traffic immensely. Reducing the loads on your network.

cwagz

Number one reason for using dhcp reservation in my house is to allow me to direct the kids to different Pi-holes as they get older. This allows me to control YouTube restrictions and filter settings by maturity. All outside dns is blocked and I have a lot of fail safes in place that land “new” devices in the most restrictive Pi-hole group. This has worked really well until they get savvy. Then I have to decide if it is worth playing the cat and mouse game.

The pi-hole remote app is great because it has built in blocking controls for things like Roblox and discord. I can switch one kid off if they aren’t doing their homework or whatever.

JonathanLee

@cwagz I also have controls set up with mine and the LEDs on the firewall change if someone is on devices at night that should be sleeping. I customized the LEDs to state specific activation.

Epimpin

DHCP reservations allow us to have the ease, simplicity and benefits of DHCP without some of its pitfalls allowing us to rely on and use persistence of IP as a tool in other implementations and tools.

Ive seen how it works on other systems and it almost never works the way it should or how you think it should, but on pfsense it just simply works and as you would expect (most of the time).

ahking19

@JonathanLee Why not use time based rules instead of LED lights you have to monitor?

https://docs.netgate.com/pfsense/en/latest/firewall/time-based-rules.html

JonathanLee

@ahking19 shared devices sometimes I want to watch a streaming movie at night is all

Sergei_Shablovsky

@johnpoz said in Do you use dhcp reservations?:

@JonathanLee said in Do you use dhcp reservations?:

I do not want any mac address cloning going on.

Who is going to clone your macs?

Hackers. Black hackers.
Or cyber warriors from China, Iran, russia. (They are in 120-180ms distance from Your data ;)

And for what purpose?

Steal money. Or steal some info about Your clients to steal MUCH MORE money from them.
2.
Make damage for Your country.

Mac cloning is only a thing if they are already on your network..

Because around 80% of devices at home, work and office are connected by WiFi, airsnort, fake DHCP server for MITM doing work well.

I would love to hear your theory how anyone could use that to do anything? That doesn't already have full access to my network anyway..

Hm. Are You serious? I do not believe that You say that…

BTW, I prefer to using “IP reservation “ feature ONLY as some sort of helpful feature in administration and of pf rules work.
And THIS IS NOT AS A SECURITY BARRIER any way!

When planning infrastructure each one need to keep in mind that MAC/IP - NOT MAKE DEVICE TRUSTED, this is just ID.
And like Your passport w/o photo or biometric chip,- may be stealing by someone.

One of the basic rules nowadays must be: EACH DEVICE MUST HAVE OWN SERTS. NO SERTS,- NO ANY RIGHTS, NO ACCESS ANYWHERE !

Am I wrong?