• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How to force the use of DHCP?

Scheduled Pinned Locked Moved DHCP and DNS
8 Posts 4 Posters 7.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    alimovz
    last edited by Jan 30, 2010, 9:04 PM

    How do I force the use of DHCP on my network using PFsense?
    I want to simply disallow access to the Intenet through my pfsense gateway to IPs that were not leased by DHCP.
    The idea is to make anybody who wants a static IP register it with pfsense before using it.

    1 Reply Last reply Reply Quote 0
    • W
      wallabybob
      last edited by Jan 30, 2010, 10:32 PM

      I take it you want to allow internet access from the LAN only to systems whose IP address has been assigned by DHCP. Since you mention "static IP" I take it the client system's MAC address should have previously been registered with DHCP.

      I don't know of any way of configuring exactly this. Two options that come "close".

      1. Use static DHCP, add firewall rules to block all traffic from LAN, allow DHCP and allow traffic from IP addresses you have registered. However this allows traffic from systems which configured a static IP address in the allowed range (that is, the system need not have a current DHCP lease).

      2. Use captive portal - someone on a LAN client system has to login via a web page before the client system is allowed to access the internet. But, as far as I know, this doesn't have any connection with current DHCP leases. (I don't have any experience with the pfSense captive portal.)

      What is the problem you are trying to solve?

      1 Reply Last reply Reply Quote 0
      • A
        alimovz
        last edited by Jan 31, 2010, 1:08 AM

        I have about 100 users on my corporate network 192.168.2.0
        DHCP is running ranging from 100 to 254

        I want to keep track of all static IPs on the network and thus I want my users to come to me before they can manually punch in their ip address. I decide if they really need it or not and if they do I allow them access, but after registering that IP in my system.

        1 Reply Last reply Reply Quote 0
        • C
          chpalmer
          last edited by Jan 31, 2010, 1:19 AM

          Change your addressing to something in a class A or class B range… Gets you away from addressing schemes everyone with a home router is familiar with. Makes them less likely to experiment

          Warn people that they could inadvertently crash the network by choosing and address already in use. BS goes along way. Incite FUD

          Watch your states and block them as they show up...  May take some time but it will eventually subside.

          Im sure there are better way to do this but just some ideas...

          Triggering snowflakes one by one..
          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

          1 Reply Last reply Reply Quote 0
          • J
            jimp Rebel Alliance Developer Netgate
            last edited by Jan 31, 2010, 5:43 AM

            Add all of your user's MAC addresses on the DHCP page as static mappings – but leave the IP addresses blank, except for those you want to have static IPs.

            Then check "deny unknown clients", and finally "Enable Static ARP entries", and save.

            Configured that way, only the MAC addresses you specify will be able to obtain an IP by DHCP, and anyone else that is not in the list will NOT get an IP from DHCP but will also not be able to use a hardcoded static IP as well.

            It's a bit more to maintain, having to keep a list of MAC addresses, but you probably already have the list in pfSense now on the DHCP client page, and you can use the links there to add them as static mappings.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • W
              wallabybob
              last edited by Jan 31, 2010, 10:59 AM

              http://forum.pfsense.org/index.php/topic,22377.0.html suggests that in pfSense 1.2.3 Release things don't work as described by jimp.

              1 Reply Last reply Reply Quote 0
              • J
                jimp Rebel Alliance Developer Netgate
                last edited by Jan 31, 2010, 3:04 PM

                Not sure what is wrong with that guy's setup but it should work as I described. I'd have to setup a test environment to double check, however.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • J
                  jimp Rebel Alliance Developer Netgate
                  last edited by Jan 31, 2010, 4:55 PM

                  Just confirmed it in a VM setup…

                  set deny unknown clients, and I can't pull an IP address from pfSense, but I can set a static IP. Then if I set static arp, I can't even talk with a hard coded IP address. Just as expected.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  8 out of 8
                  • First post
                    8/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received