Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP static MAC/ARP entries dotted quad only?

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 2 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      andrewinhawaii
      last edited by

      This is my first pfSense install (2.0.1) but I'm an old hand at FBSD (since 1.0).  I'm replacing an ancient firewall (FBSD 4.8) with pfSense, but I'm trying to maintain complete compatibility.  I have many "kinda smart" devices on my network which are DHCP only, however, they need specific firewall rules.  For example, my VOIP PAP gets special treatment not only for SIP, but it insists on calling home for NTP, and firmware updates, among other things.  In my old ISC DHCP configuration, I use the FQDN for "fixed-address".  Apparently ISC dhcpd is able to resolve the IP by itself from the DNS (BIND) - I don't know if it is done at init time or when the dhcp request is processed.  What I do know is that one more potential source of IP address aliasing is eliminated.

      However, I have found with pfSense that only a dotted quad (IPv4) is allowed when entering the static DHCP entries.  Is there a reason for this that I am missing?

      It is a bit concerning that it appears that pfSense requires that I must enter the same name & IP address at least 3 different places consistently: once as an ALIAS for filtering, once for the hosts file, and a third time for a static DHCP lease.  If the IP must be moved, for example because of network reorganization or segmentation, I must remember to update each one of these or very bad and confusing things will happen.  Is there a way to unify the IP <–> host name mapping?

      Secondly: the first time I selected "Enable Static ARP entries" I read the warning "Note: Only the machines listed below will be able to communicate with the firewall on this NIC." too late.  As soon as I clicked on "Save" my whole system died.  The serial console worked, but I couldn't get in or out of the box.  Only after fidgeting, rebooting, and eventually removing the new firewall from service and restoring the old one, was I finally able to get it talking again.  What happened?  Why is this check box a "kill your working system" button?  Why does enabling static DHCP entries make everything else stop working?  I'm not selecting that check box again until I can understand what's going on.  Because I need my VOIP phone, that means that the pfSense box sits in the corner.

      Again, have I missed something?

      Andrew

      PS.  That's really awesome that your login can timeout while you're typing a post in, tossing it out completely and leaving you with the maximally unhelpful messages:

      Your session timed out while posting. Please try to re-submit your message.
      No subject was filled in.
      The message body was left empty.

      I'm not seeing the benefit of this feature.

      1 Reply Last reply Reply Quote 0
      • W Offline
        wallabybob
        last edited by

        @andrewinhawaii:

        PS.  That's really awesome that your login can timeout while you're typing a post in, tossing it out completely and leaving you with the maximally unhelpful messages:

        Your session timed out while posting. Please try to re-submit your message.
        No subject was filled in.
        The message body was left empty.

        I'm not seeing the benefit of this feature.

        I have seen this from time to time and have been able to recover by clicking on the browser back button and clicking the Post button again.

        1 Reply Last reply Reply Quote 0
        • W Offline
          wallabybob
          last edited by

          @andrewinhawaii:

          Secondly: the first time I selected "Enable Static ARP entries" I read the warning "Note: Only the machines listed below will be able to communicate with the firewall on this NIC." too late.  As soon as I clicked on "Save" my whole system died.  The serial console worked, but I couldn't get in or out of the box.  Only after fidgeting, rebooting, and eventually removing the new firewall from service and restoring the old one, was I finally able to get it talking again.  What happened?  Why is this check box a "kill your working system" button?

          It isn't a "kill your working system" button its an enable static arp entries button.

          @andrewinhawaii:

          Why does enabling static DHCP entries make everything else stop working?

          I presume you mean ARP rather than DHCP. I have two working pfSense systems with static DHCP entries. Static ARP uses the in-memory table to map from IP address to MAC address rather than asking the network "Who has IP address x.y.z.w?" If you want to communicate with IP address x.y.z.w and you have static ARP enabled and you haven't provided an IP address to MAC address mapping then the system won't be able to find the MAC address of the system with IP address x.y.z.w. Some people use this as a security measure.

          @andrewinhawaii:

          I'm not selecting that check box again until I can understand what's going on.

          That's a probably a good general strategy, perhaps a corollary of "Don't sign anything you don't understand". But some people like adventure  :)

          1 Reply Last reply Reply Quote 0
          • A Offline
            andrewinhawaii
            last edited by

            I guess I'm missing something.  This is "Enable Static ARP entries" in the "Services: DHCP Server" page.  Why would this cripple the firewall to filter on ARP entries?  For some reason, I thought that these were ARP entries (linking an IP to a MAC) for static DHCP clients that should be assigned a fixed address by dhcpd.  If this is not how to accomplish this goal, then I'd appreciate some help about how I go about configuring ISC dhcpd's configuration file like I have used for nearly a decade:

            Group {

            Compaq T300 Laptop

            host windows2 {
                hardware ethernet 00:d0:59:17:55:dd;
                option broadcast-address 10.0.255.255;
                option host-name "windows2";
                fixed-address windows2.example.com;
                option domain-name-servers 10.0.0.1;
                option ntp-servers 10.0.0.1;
              }
            …

            1 Reply Last reply Reply Quote 0
            • W Offline
              wallabybob
              last edited by

              @andrewinhawaii:

              I'd appreciate some help about how I go about configuring ISC dhcpd's configuration file like I have used for nearly a decade:

              On the Services  -> DHCP Server page click the "+" at the bottom of the page to add new entries to the (MAC address,  IP address, Hostname, Description) table.

              pfSense doesn't support as rich a set of combinations as would be available if you could edit the dhcpd configuration file yourself.

              pfSense keeps its configuration information in a single configuration file. On startup, configuration files for individual utilities are regenerated from the pfSense configuration file.

              1 Reply Last reply Reply Quote 0
              • A Offline
                andrewinhawaii
                last edited by

                I see now from interfaces_staticarp_configure($if_)_ that staticarp actually has nothing to do with dhcpd whatsoever.  It simply cribs the MAC & IP pairs from the dhcpd configuration and uses them after issuing:

                ifconfig $if staticarp
                arp -d -i $if -a

                which disables ARP discovery on interface $if, flushes all the existing entries, and then repopulates the ARP table with:

                arp -s $ip $mac

                Which can totally bone you if you have not prepared by entering any MAC & IP pairs.  Other than the cryptic warning, I think it would be nice to explain that this has nothing to do with DHCP, and means disabling ARP discovery for that interface.  Perhaps in the Note: or in pop-up help.

                But all that still doesn't explain why IP addresses must be used instead of the FQDN?

                Andrew

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.