DHCP static entries



  • Hi,
    i have opt interface with ip 10.10.0.254/24
    dhcp enabled with range 10.10.0.1-10.10.0.1/24
    and about 50 static entries
    (dns is not from same range it is not 10.10.0.254, is that problem? but everything works)

    Static entries works perfect, except, field Deny unknown clients that i checked, and Enable Static ARP entries,
    So, if i connect machine that dont have mac entered in dhcp list for this interface, machine still gets ip address 10.10.0.1 and it can communicate through this interface.

    With Deny unknown clients i checked, i think that dhcp should ignore any mac that is not entered in dhcp list table for that interface, is this correct?

    And with Enable Static ARP entries it should block traffic for any mac that is not entered into dhcp list on that interface, even if ip address is entered manually, is this correct?

    so what did i done wrong?

    thanks



  • @josey:

    dhcp enabled with range 10.10.0.1-10.10.0.1/24

    . . .
    With Deny unknown clients i checked, i think that dhcp should ignore any mac that is not entered in dhcp list table for that interface, is this correct?

    . . .
    so what did i done wrong?

    At a guess, you shouldn't have specified any DHCP range. (Seems to me ambiguous to say "Deny unknown clients AND say "unknown clients can have 10.10.0.1").



  • LOL, no mate…
    if you dont enable DHCP how DHCP (by mac) can work? at all? :)

    It must be enabled if you want it to work  ;)

    Thing is that im confused with fact, that, even if it is set to not give address and do not pass traffic to unknown clients (unknown macs) it still does that.

    what is wrong?



  • @josey:

    LOL, no mate…
    if you dont enable DHCP how DHCP (by mac) can work? at all? :)

    It must be enabled if you want it to work  ;)

    I suspect you have encountered a bug but I wasn't in a position to play around with the DHCP settings on my pfSense box so I was speculating.

    I didn't say you shouldn't enable DHCP. I was suggesting that MAYBE you shouldn't specify a range of IP addresses (that is, in your screen shot PERHAPS the RANGE boxes should be empty to be consistent with your setting "Deny unknown clients"). Note that by specifying IP address to go with MAC addresses you are giving the DHCP server something to do.

    I've just tried (on pfSense 1.2.3 RELEASE) a similar combination to what you have specified and it is necessary  to have a non-empty and valid range. A workaround for your problem would be to add a firewall rule to the interface to block traffic from the IP addresses in the range boxes.

    What version of pfSense are you using?

    @josey:

    And with Enable Static ARP entries it should block traffic for any mac that is not entered into dhcp list on that interface, even if ip address is entered manually, is this correct?

    Arp is a way of finding out the MAC address of the interface with a particular IP address. It works by broadcasting the question "Who has IP address x.y.z.w?" The station that has that IP address responds saying "I do". The response is kept in a database and a timer started. The entry is removed when the timer expires.  My understanding is that in static arp a permanent entry is put in the database to associate the IP address and MAC address. If thats the case static ARP won't block any traffic. It just makes it a little more challenging for someone to claim an IP address (they have to also claim the MAC address) but since MAC addresses can generally be easily changed static ARP is not very secure.



  • i have 1.2.3 from 18. January

    I think that whole idea of this options in DHCP server of PFS is to enable traffic of known machines on network, and to deny traffic to/for unknown machines.

    So if you enter mac addresses of all machines on your network, everyone can work. if someone unknown from outside comes to building and plug notebook to network, nothing happens.
    Question is will he/she know enough to scan network and get some mac addresses and clone it to notebook? It is not important, someone of employees will saw him/her and report that.

    So why this doesent work, i dont know, i think it is bug, but maybe i did something wrong, you newer know. 
    I remember that i had similar setup on PFS vr. 1.02 and this was working perfect



  • Seems to me its a bug. Please report it.

    Have you tried the workaround using firewall rules?


  • Rebel Alliance Developer Netgate

    There is no bug.

    I configured a VM in this manner, testing Deny Unknown clients and Static ARP, and it worked as expected.

    If you have "deny unknown clients" checked and you are still getting an IP on machines not listed on the DHCP server page, you might have another DHCP server on your LAN or some other misconfiguration. It's also possible you need to reboot the router after checking static ARP, as a machine may have still been in the router's ARP cache and I'm not sure if that gets flushed when switching to static ARP.



  • @jimp:

    There is no bug.

    I configured a VM in this manner, testing Deny Unknown clients and Static ARP, and it worked as expected.

    If you have "deny unknown clients" checked and you are still getting an IP on machines not listed on the DHCP server page, you might have another DHCP server on your LAN or some other misconfiguration. It's also possible you need to reboot the router after checking static ARP, as a machine may have still been in the router's ARP cache and I'm not sure if that gets flushed when switching to static ARP.

    well, it seems you are right, after i reboot pfs and all switches … it seems that now works fine, it still gives IP address, BUT  it does not pass any traffic ;)


Locked