DHCP Problem/Question



  • Hi @ll

    I am using pfsense in a Hotel with some 200 rooms with big success, it works great. But :

    All the various Smartphones and Laptops have WLAN enabled per default and though they
    are not logged in to the captive portal they are using a IP Adress in case they connect to
    the Wireless LAN.

    Though there are often more than 2 people per room and many have a smartphone, a Tablet
    and a Laptop and all of them are on I am running out of IP Adresses during peak times.

    Of course I could change from a class C to a class B private network, but some of my access
    points are not capable of this.

    I think there is no way from preventing the machines from obtaining a IP adress as soon as
    they connect to the network, correct ?

    So does anyone of you have a Tip for me how to solve this issue in a convenient way ?

    Thank you in advance

    thafener



  • As as network professional, I always base a public network using a private /8 network.
    The problem can be solved by changing over to /8 private address space.

    You mentioned that your APs will not working with 'class B' network ranges..why? Just move to a /8 private IP range.



  • The way you address that in any network with a large number of devices that change frequently is to use a short lease length (equal to the length of your captive portal hard timeout if you're using CP, otherwise a couple hours is generally a fine choice), and make sure your pool is much larger than the number of devices that will connect within that period.

    I would never use a /8 under any circumstances, you don't need 16 million devices on the network (if you do, you seriously need to reconsider your network design as that's not going to work), and using 10./8 will break every VPN where the person is trying to get to any 10.x.x.x IP space over the VPN because they'll see that as local IP space. You're going to create problems for your users if you're using a /8.

    It shouldn't matter whether or not your APs can use a /16 mask, from the client's perspective they should be nothing more than a dumb bridge. For management purposes, you'll want an IP, but you'll want that on a separate VLAN and subnet from the client devices as you don't want them having access to the management interfaces of any devices along those lines. If you're stuck with no other option, then use a different static private IP subnet on the same broadcast domain, a /24 is fine, for management of APs.



  • Good point. VPNs would be a huge issue with that ip range.


Locked