How to isolate DHCP clients

rsn

Hello - I'm trying to figure out the best way to separate DHCP clients from non-DHCP clients on a network.  I have 1 WAN and 1 LAN at this point.  What are my options?  Thanks in advance.

XIII

add another interface and disable the DHCP server on it. then use firewall rules to separate them

rsn

Hmm, that's what I suspected.  I was hoping there was some way to do this without adding another NIC.  I'm guessing I could do this with VLANs as I do have a managed switch, but I'm not sure I want to go down that route right now.

Thanks!

XIII

your interfaces on pfsense need to be VLAN compatible. You could also do untagged (clients are unaware of the VLAN) VLANs with the switch, depending on its capabilities, you could have half the ports for dhcp clients and the other half for static and segregate them with the switch. then set a firewall rule to not allow one subnet (aliases) to talk to the other.

rsn

One more related question: If I want to move a DHCP client from one network to another (i.e. from the "isolated" network on LAN 2 to the "main" network on LAN 1, can I simply statically assign that client (using the pfsense DHCP leases section) an IP address on the "main" network?

XIII

depends on your switch, if not you just plug it into a port on that network that you want it on.

rsn

@rsn:

One more related question: If I want to move a DHCP client from one network to another (i.e. from the "isolated" network on LAN 2 to the "main" network on LAN 1, can I simply statically assign that client (using the pfsense DHCP leases section) an IP address on the "main" network?  
@XIII:

depends on your switch, if not you just plug it into a port on that network that you want it on.

My question was assuming I was not using a VLAN, rather two NICs.  Sorry for the confusion.

I'm wondering if pfsense will allow this type of an assignment.

XIII

you mean if you have a total of 3 nics, wan,lan and opt1/lan2?
yes, i currently do this.
just disable the dhcp server on the nic you have static ips assigned on. do a firewall rule to separate them.

rsn

Yes, 3 NICs.  So pfsense will allow me to take a client that has been assigned an IP address by LAN2 and statically assign it an IP on LAN via the DHCP leases static assignment tool?

XIII

no. networks must be different. cant have 192.168.0.1 on both nics
AFAIK you can not give LAN2 an IP from LAN1 unless they are on the same network by default you would have to disable the anti spoof feature to do this.

rsn

I think there is still a bit of confusion over my question, or perhaps I don't totally understand the reply.

Let me provide an example:

WAN xx.xx.xx.xx
LAN: 192.168.1.0 <- NO DHCP
LAN2: 192.168.50.0 <- DHCP server running

laptop1 is a DHCP client and is assigned 192.168.50.24 by the DHCP server running on LAN2.  I determine that I want to move laptop1 to the LAN network without manually entering in the new IP info on the laptop1 machine itself.  So, I would like to go into the DHCP leases portion of the pfsense UI, click the "statically assign" button, and assign it an IP address of 192.168.1.102 (which happens to be on the LAN network).  Is this possible?  If not, how can I make this workflow happen?

XIII

yes it is.
I guess I just didnt fully understand the question Sorry about that.

rsn

No problem.  I should have provided the example in my first post.

Thanks for the input!

kpa

If there's no DHCP server running on LAN interface then there can't be any address assignments happening for hosts on LAN by pfSense, you'll have to assign IP address/gateway/dns settings manually on the client.

XIII

@kpa:

If there's no DHCP server running on LAN interface then there can't be any address assignments happening for hosts on LAN by pfSense, you'll have to assign IP address/gateway/dns settings manually on the client.

yea that is true, forgot about that, I usually assign statics via DHCP, I got confused again. Today is just not my day, at least it is Friday though.

What you would do is enable the DHCP server with a range of the number of devices you would assign static IPs to, that way authorized devices get an ip via DHCP and unauthorized devices cant as there is not any available.

example:
192.168.1.0 with dhcp range of: 192.168.1.2-.15, statically assign those 14 ips to devices and then when a device connects to that network they cant get an ip as all the ips are used up via  a static mapping. unless of course they spoof the mac of a statically assigned device then they will get that ip.

rsn

@XIII:

@kpa:

If there's no DHCP server running on LAN interface then there can't be any address assignments happening for hosts on LAN by pfSense, you'll have to assign IP address/gateway/dns settings manually on the client.

yea that is true, forgot about that, I usually assign statics via DHCP, I got confused again. Today is just not my day, at least it is Friday though.

What you would do is enable the DHCP server with a range of the number of devices you would assign static IPs to, that way authorized devices get an ip via DHCP and unauthorized devices cant as there is not any available.

example:
192.168.1.0 with dhcp range of: 192.168.1.2-.15, statically assign those 14 ips to devices and then when a device connects to that network they cant get an ip as all the ips are used up via  a static mapping. unless of course they spoof the mac of a statically assigned device then they will get that ip.

Do you mean assign these 14 IPs as static via DHCP or manually on the client?  Even if this is what you mean, then this does not really solve my problem.  I really want all of my devices/hosts to receive IPs via DHCP.  However, I want those assigned address via DHCP to be isolated from devices that I have "flagged".  In other words, I don't want any device that is assigned an address via DHCP (such as house guests) to be able to even see any machine on my house network unless I "move them over" to the house network.  I also don't want my "house network" machines to be DHCP clients, as some of them are mobile devices (in other words they may connect to networks in other physical locations and I don't want to have to continually disable and enable DHCP on these clients.  You see what I mean?  There must be some way to make this happen - I just don't know how.

wallabybob

@rsn:

I don't want any device that is assigned an address via DHCP (such as house guests) to be able to even see any machine on my house network unless I "move them over" to the house network.

Then you need physically separate networks OR a VLAN capable switch with the two groups of devices on separate VLANS.

rsn

@wallabybob:

@rsn:

I don't want any device that is assigned an address via DHCP (such as house guests) to be able to even see any machine on my house network unless I "move them over" to the house network.

Then you need physically separate networks OR a VLAN capable switch with the two groups of devices on separate VLANS.

KPA has already said that I cannot "move clients over" from one network to another if the 2nd network is not running  a DHCP server.  That is the problem I am trying to overcome here.

Cry Havok

rsn, please re-read wallabybob's answer.  Yes, you need a DHCP server on both networks, but to separate your 2 networks you have to make them 2 separate networks, either physically or by using VLANs.

rsn

Physically separate them as in put them on different switches and not connect the two switches together?  If that isn't done then won't having two DHCP servers cause problems?  If that IS done then this presents a lot of new challenges.