Create static mapping on the virtual ip range, outside the dhcp pool
-
Hi guys, i need to Create static mapping on the virtual ip range, outside the dhcp pool, it's that possible?
-
@Jhosin see https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv4.html#static-mappings
https://docs.netgate.com/pfsense/en/latest/services/dhcp/mappings-in-pools.html -
@SteveITS Thx for the reply, but, in this doc's i only find the static map inside the dhcp pool, but, i need to reserve a ip outside the pool
My pool lays from 192.168.0.0 to 192.168.7.253 / 255.255.248.0
but i have a virtual ip on 192.168.85.0 range
i need to static the 192.168.85.100 ip on that range, but i don't know how to do it. -
@Jhosin huh??
You can not hand out an IP from dhcp that is not inside the scope of the dhcp server to hand out.. If your running a /21 then the reservation you set would have to be inside that /21 but outside the pool range.
Did you just change your pool to be the /21? Or is the address on pfsense actually a /21
What do you show for pfsense address and mask?
In my above example I could hand out 192.168.200.2 to 9 or .251 to .254 as a reservation... But I could hand out say 192.168.201.x
You can run multiple L3 on the same L2, but it is almost always a bad idea, unless your in the middle of changing your IP space to be used on that L2.
But if you gave pfsense say a vip of 192.168.85.99 on that interface, and you want some other box on that L2 to use 192.168.85.100 you would have to set that on the device, you can not hand it out via dhcp.. Unless your overall dhcp range included it, and you had just set your pool to be smaller.
-
@johnpoz yeah, that what i mean, the network works that way on a mikrotik, all the ips are reserved on multiplers /24 networks, and i want leave like that on the beggining at least, i dont wanna to join all thats networks because corresponde a another sectores of the factory, and the floor machines don't need to see the office machines, they have virus problems of propragation because all the network are only one, but, it is what it is, i gonna replace the /21 for 1 /16 and join all the things together. thx for the replyes guys
-
@Jhosin Just running different L3 on the same L2 isn't isolating anything.. If you want to isolate machines because of virus or whatever they should be on their own L2, which would also be a different L3 network.
You should be running vlans if you have a network where you want to segment traffic from each other.. Be it physical isolation or with vlans..
-
@johnpoz yeah, i did not disagree with you, i think i'm gonna create vlan's on the switchs e isolate like that, and create diferent pools on pfsense for that reason, its better to iniciate the correct way instead leave like that and after have more work to do, thank you guys for your help
-
@Jhosin said in Create static mapping on the virtual ip range, outside the dhcp pool:
i gonna replace the /21 for 1 /16 and join all the things together
Not clear what your wanting to do - but I took that above statement that your just going to flatten your network to 1 big L2.. Or its already just one L2 and your trying to isolate via IP addresses.
I am not sure what you mean by mikrotik works this way.. How would an dhcp server hand out IP for networks that is not part of its network pool(s) or available range.
You could for sure create a large L3 network on an interface and only hand out parts of this larger range via pool or pools.. And then hand out other IPs in the range via reservations.. etc.. But what IP a device has on the same L2 network does not really isolate them..
I could create put a /23 on an interface say 192.168.0.0/23 and hand out IPs via dhcp to 192.168.0.x and hand out 192.168.1.x via reservations or set static on the device.. This does not actually isolate these devices.. even if I only gave them /24s for their mask. Devices on the same L2 are not isolated, regardless of what IP they might have..
-
-
@Jhosin if the IP you put on pfsense is say 192.168.0.1/23 this range is 192.168.0.0-192.168.1.255
You can set the available pool on your dhcp server only say 192.168.0.10 to 192.168.0.254.. Since this network is really a /23 you have 192.168.0.1 to 192.168.1.254 as viable IPs on this network.
So while even dhcp is only going to hand out 0.10 to 0.254, 0.255 to 1.254 are still valid IPs on this network.. And you could set reservations for those in the dhcp server so mac address xyz get say 192.168.1.100 or whatever.
Or you could setup these devices on themselves to have say 192.168.1.200 as IP with a /23 mask.
Here is another example - in this pool I only hand out .20 to .30, but I have reservation for .110
For dhcp to hand out an IP, it has to be on that network be it a /24 or /23 or a /29 or /16 or a /8, etc.. But if you enable dhcp server on a 192.168.100.0/24 interface it can't hand out IPs to 192.168.200.x
-
@johnpoz oh yes, now i get, in fact, its my mistake, i did not read correctly your awnser, that way gonna work, but i have network like 10.11.92.0 on the same network, without any vlan, and even if i incrise the dhcp range, still 192.168...something, so, i think i have no way to change that, i have to set manually or change that subnetwork
-
@Jhosin running some 10.x network on the same L2 network as your 192.168 network not really isolating them.. You need to physically isolate these networks.. Or you need to vlan them..
While you can run multiple IP ranges on the same L2 - this does not provide for actual isolation.. If you are worried about device X accessing device Y, they really need to be actually on different L2 network.. Not just different IP ranges.