DHCP Server + Static ARP entries and/or Deny unknown clients FAILS



  • Hi, I've tested this with the latest snapshots for the past 3-4 days, 32-bit & 64.

    What happens is, if you enable static ARP entries, and a switch connected to the LAN gets disconnected and reconnected, clients don't get anything after that, they can't ping, ssh or enter the webgui, I have to reboot pfsense for it to work again, sadly even if you don't power cycle switches it happens every couple of hours…

    pinging LAN IP's directly from pfsense also timeout when the power cycle happens...

    using "Deny unkown hosts" alone doesn't have this issue, but it doesn't do what it says, clients not in the list can still communicate with the firewall...

    :'(

    maybe this is the issue?:

    [2.0-RC3][admin@pfSense.localdomain]/var/dhcpd(14): find / -name dhcpd.leases
    /var/dhcpd/var/db/dhcpd.leases
    
    [2.0-RC3][admin@pfSense.localdomain]/var/dhcpd(13): ps aux | grep dhcpd
    dhcpd  10130  0.0  1.6 13056  8048  ??  Ss    4:46PM   0:00.01 /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf em1
    root   17128  0.0  0.3  6996  1536  ??  Ss    4:40PM   0:00.02 /usr/sbin/syslogd -c -c -l /var/dhcpd/var/run/log -f /var/etc/syslog.conf
    
    [2.0-RC3][admin@pfSense.localdomain]/var/dhcpd(14): find / -name dhcpd.conf
    /var/dhcpd/etc/dhcpd.conf
    
    




  • that has no relation to that redmine ticket you linked. Check 'arp -an' after you disconnect and reconnect the LAN and see what it looks like, may need linkup process to re-add static ARP entries.



  • Thanks cmb, what do you mean by linkup process? is there a way to re-add static ARP entries automatically whenever a disconnect and reconnect happens? we get lots of power cuts on these LAN switches so its hard to do it by hand all the time…



  • Also would it be a problem if clients are using static IP instead of acquiring it via DHCP?



  • ok when a disconnect happens the command arp -an shows nothing, I tried restarting dhcpd service but still arp -an doesn't show all the info… it also happens if I use "deny unknown clients" instead of "Enable Static ARP entries" but through that I can still ping pfsense after the switches restart... it won't deny unknown clients though :/

    so if restarting dhcpd isn't solving this, what command will bring back the allowed ARP list? maybe I can run it on cron every minute? please HALP  :'(

    BTW the issue is on RC2 builds too... not only RC3

    Thanks



  • I've added a ticket on redmine for the issue: http://redmine.pfsense.org/issues/1628


  • Rebel Alliance Developer Netgate

    As mentioned on that ticket, I made a commit yesterday that seems to fix this.



  • Thanks for the fix jimp, clicking on the link in the ticket is giving 404, here's the working link: https://github.com/bsdperimeter/pfsense/commit/8ee623f3a98dca5681274d6a14450223236b4013


Locked