DHCP in LAN, OPT1 and OPT2 with MAC filter

  • Hello friends, I installed a apliance pfSense on VMware on a client, the LAN interfaces have the same, and OPT1 OPT2, each one has its gnashing of IP in DHCP, the LAN and OPT1 I registered the MAC addresses of machines and marked the option to deny sending client IP is not registered, so the DHCP does not give IP address to unknown MAC in MAC OPT2 I signed up and not check the option to deny the MAC unknown, because the idea is precisely the case if it happens a stranger into the company network, it OPT2 get the IP, this network has no access to anything, not even access the internet, or is a safety net.

    But strangely, once or twice, a machine that has registered the MAC in the LAN DHCP, DHCP IP took the OPT2, solved the problem by deleting the MAC machine and adding back in the LAN DHCP, then returned to normal.

    Why did this happen? Is it a bug in pfSense? How to ensure that this does not happen anymore?

    Thank you all!

  • Do you have two DHCP servers in the same LAN? (pfSense LAN and pfSense OPT2)? If so, that's not going to work "correctly". You would be better off using something like captive portal with pass through MAC (registered MAC pass straight through the captive portal, everyone else needs to provide valid authentication details before they can get past the captive portal).

  • I understand, but must do so because it is not just blocking the Internet, it's security network, computers are not the company have to get another IP ranger other than the LAN, so these computers are isolated in the Firewall Rules and I release them only for HTTP. So I was doing DHCP by MAC, which fall right in the registered and unregistered LAN fall into a ranger OPT2.

    In the environment there is only one switch for that brand 3Com could even consider putting another to create a separate DMZ, but pfSense is virtualized on VMware with 03 virtual interfaces connected to a single physical interface (NIC) that is then connected to the switch.

    Any other ideas?

    Thank you!

Log in to reply