Dynamically allocated IPs not showing up in ARP table



  • We've just set up pfsense, and we set the

    • Deny unknown clients
    • Enable Static ARP entries

    Options. Essentially, we want every host on the network to have registered their MAC address. This works well.  However, for those hosts that have their MAC address registered, but that pull a dynamic IP from the DHCP server, those machines never show up in the ARP table, and can't get outside of the firewall. Only when we assign a static IP address do they show up in the ARP table.

    Any ideas?

    thanks :)
    Collin



  • from DHCP-GUI

    Note: Only the machines listed below will be able to communicate with the firewall on this NIC.

    the "only the machines listed below" referrs to the list below where you assign static IP's to MAC's
    –> exactly the behaviour you described :)

    you could set up 2 DHCP's
    one which only accepts registred clients (with an static entry) and one with a range which cannot get outside your network but on a page where they can register themself.

    2 friends of me and i have thought about writing something for a LAN-Party where the clients could authentificate themself and our script would add their MAC to the static list. but we havent made much progress :(



  • It sounded like it should include those entries without an IP address that had the IP address pulled from the DHCP dynamic IP pool. :(



  • The behavior is correct.  You must setup a static DHCP entry with mac for every host.

    Without pfSense knowing the mac address before hand there is no way to add it to the arp table to allow it to communicate.



  • Hmm, ok. Thanks for the info!  :)



  • I'm in cvandyck's camp and had one other question. Basically, what we trying to do with that setting was to restrict people's ability to simply set a static IP if their machine's mac address was not registered for a dynamic one with the DHCP server.

    Is there any way to:
    1. Restrict dynamic IPs to registered mac addresses, and
    2. Restrict traffic for all static IP addresses that are not listed in the static mappings


Log in to reply