How to force the use of DHCP?

alimovz · Jan 30, 2010, 9:04 PM

How do I force the use of DHCP on my network using PFsense?
I want to simply disallow access to the Intenet through my pfsense gateway to IPs that were not leased by DHCP.
The idea is to make anybody who wants a static IP register it with pfsense before using it.

wallabybob · Jan 30, 2010, 10:32 PM

I take it you want to allow internet access from the LAN only to systems whose IP address has been assigned by DHCP. Since you mention "static IP" I take it the client system's MAC address should have previously been registered with DHCP.

I don't know of any way of configuring exactly this. Two options that come "close".

Use static DHCP, add firewall rules to block all traffic from LAN, allow DHCP and allow traffic from IP addresses you have registered. However this allows traffic from systems which configured a static IP address in the allowed range (that is, the system need not have a current DHCP lease).
Use captive portal - someone on a LAN client system has to login via a web page before the client system is allowed to access the internet. But, as far as I know, this doesn't have any connection with current DHCP leases. (I don't have any experience with the pfSense captive portal.)

What is the problem you are trying to solve?

alimovz · Jan 31, 2010, 1:08 AM

I have about 100 users on my corporate network 192.168.2.0
DHCP is running ranging from 100 to 254

I want to keep track of all static IPs on the network and thus I want my users to come to me before they can manually punch in their ip address. I decide if they really need it or not and if they do I allow them access, but after registering that IP in my system.

chpalmer · Jan 31, 2010, 1:19 AM

Change your addressing to something in a class A or class B range… Gets you away from addressing schemes everyone with a home router is familiar with. Makes them less likely to experiment

Warn people that they could inadvertently crash the network by choosing and address already in use. BS goes along way. Incite FUD

Watch your states and block them as they show up... May take some time but it will eventually subside.

Im sure there are better way to do this but just some ideas...

jimp · Jan 31, 2010, 5:43 AM

Add all of your user's MAC addresses on the DHCP page as static mappings – but leave the IP addresses blank, except for those you want to have static IPs.

Then check "deny unknown clients", and finally "Enable Static ARP entries", and save.

Configured that way, only the MAC addresses you specify will be able to obtain an IP by DHCP, and anyone else that is not in the list will NOT get an IP from DHCP but will also not be able to use a hardcoded static IP as well.

It's a bit more to maintain, having to keep a list of MAC addresses, but you probably already have the list in pfSense now on the DHCP client page, and you can use the links there to add them as static mappings.

wallabybob · Jan 31, 2010, 10:59 AM

http://forum.pfsense.org/index.php/topic,22377.0.html suggests that in pfSense 1.2.3 Release things don't work as described by jimp.

jimp · Jan 31, 2010, 3:04 PM

Not sure what is wrong with that guy's setup but it should work as I described. I'd have to setup a test environment to double check, however.

jimp · Jan 31, 2010, 4:55 PM

Just confirmed it in a VM setup…

set deny unknown clients, and I can't pull an IP address from pfSense, but I can set a static IP. Then if I set static arp, I can't even talk with a hard coded IP address. Just as expected.