DHCP lease dubplicate errors.

doktornotor

You clearly are doing something special there. I'd suggest to disable the captive thing and see how it goes.

Darkanyons

Thanks for the suggestion.

However disabling the captive portal now is not an option since i have several clients that need authenticating on this network.

What do you mean that I'm doing something special?

I'm running PF with Captive portal and Squid (that's just ordinary). Can you point out whats your hypothesis as to what im doing wrong here, if that's what you meant?

if this info is relevant, im using this adapters:
Intel PRO 1000MT Dual Port server adapter

kejianshi

You don't have a machine that is inadvertantly connected to the network via a wired interface and wifi at same time do you?

742b:22:38:a1    74DE2B    Liteon Technology Corporation    (probably wireless N knowing Liteon)

90:4c:e5:89:ed:25    904CE5    Hon Hai Precision Ind. Co.,Ltd.    (Probably wired maybe on a foxconn board)

Got something like that in your network?

Darkanyons

@kejianshi:

You don't have a machine that is inadvertantly connected to the network via a wired interface and wifi at same time do you?

742b:22:38:a1     74DE2B     Liteon Technology Corporation    (probably wireless N knowing Liteon)

90:4c:e5:89:ed:25     904CE5     Hon Hai Precision Ind. Co.,Ltd.    (Probably wired maybe on a foxconn board)

Got something like that in your network?

Yes i do have 15 PCs and Access Points wired to the lan (no wireless at the same time though), all of them are entered on the Passthru-Mac of the Captive portal, all recently on static IP configuration with a subnet of /24, all are entered also in the DHCP Static Mappings on DHCP server. Is there wrong in this setup?

More info:
PF Gateway 172.16.24.1
Enabled DHCP server on LAN interface
       Subnet 172.16.24.0
       Subnet mask 255.255.248.0
       Available range 172.16.24.1 - 172.16.31.254
       Range                172.16.26.1 - 172.16.31.254 (for dynamic clients on hotspot/wifi)
       Static clients      172.16.24.1 /24

All duplicate lease errors happens on the dynamic wifi clients.

doktornotor

@Darkanyons:

All duplicate lease errors happens on the dynamic wifi clients.

Hence why I told you to disable the captive thing. Seriously, I don't get why's this thing so popular. It's heavily broken, and especially with smartphones. Nothing works till you open a browser. Internet != web. Need authentication? Fine, use RADIUS or some other standard thing,

kejianshi

I understand why people would want something like captiveportal.  If they run a hotel or some public hotspot within easy access of a bunch of wifi hitch-hikers.  But if I ran it, it would have to be a matter of need like that.  Not a situation where I know the same 20 or 30 people / machines using it.
It would need to be a very chaotic coming and going of people and seldom the same guy twice scenario to make me want it.

"Range                172.16.26.1 - 172.16.31.254 (for dynamic clients on hotspot/wifi)"

Do you really have that many wireless clients? Why not a simple /24?
You seem to have allocated a pretty enormous space for all of this. 
And with this subnet - 172.16.24.0
and this mask 255.255.248.0
Might complicate things abit.
This can't be done simpler?

3 ports, 1 for WAN, 1 for LAN 1 for OPT1 wireless  (With LAN and OPT1 on seperate subnets each getting a simple /24)
Then use captive portal on LAN and OPT1.  (If you absolutely must have it)
I might even add another OPT2 so that I have "LAN" interface unmolested by captiveportal for myself.  Call it an isolate admin subnet.

I'm simple minded.  I like simple networks with clear simple divisions to the extent that its not too expensive or hardware intensive.

Darkanyons

@doktornotor:

@Darkanyons:

All duplicate lease errors happens on the dynamic wifi clients.

Hence why I told you to disable the captive thing. Seriously, I don't get why's this thing so popular. It's heavily broken, and especially with smartphones. Nothing works till you open a browser. Internet != web. Need authentication? Fine, use RADIUS or some other standard thing,

Thanks for the suggestion.

I did consider the radius server at one time, but i decide on Captive portal because of its simplicity in connecting clients. No need to encode client accounts on the radius server, and handling vouchers were viewed as a more simplified approach on customers that are transient, and can be easy sold off the shelf.The Access Points are located at the park with several Colleges nearby, the other on the terminal, i have other 2 of these in a busy neighboorhood.

However i may view the radius server as a good option if this can generate codes as well, without a need to track every transient clients details.

Darkanyons

@ kejianshi,

Thank you for your kind reply.

The Access points are indeed located on a quite busy locations, and therefore will require a large range of IP addresses.

I also adore the elegance of simplicity.

Since im using 2 dual intel server nics, i segregated the lan clients and the wifi users before. the setup you described was quite identical to my setup before.

however, since my wifi controller is on the lan side of pf and i wish to manage the Access Points and other lan devices, I've decided to integrate both lan and wireless users. This enabled me to monitor my entire network on a single management pc. Im using Ubiquiti Unifi APs and several Airmax wireless bridges. This also able me to add APs on the same network as desired.

Just recently i decided to put all APs on static IPs and yesterday i only have 2 lease errors. looks like im doing something right here. will update you guys if this will do the trick. i still have some wireless bridges on the network to configure on static mode.

kejianshi

Ahhhhh - Yes.  Its hard to control things with people coming and going.  Where is this located?  (just wondering)

Darkanyons

After configuring all my wireless bridges to static ips and mapping them on PF, i still have few duplicate lease errors.
I'm pulling my hair off!  >:(  and im running out of options.
In addition, today another seemingly alarming log shows:

Aug 2 17:24:26 	kernel: arp: 172.16.26.20 moved from 34:6b:d3:4c:d0:26 to 94:db:c9:0e:23:82 on em0
Aug 2 17:24:26 	kernel: arp: 172.16.26.20 moved from 94:db:c9:0e:23:82 to 34:6b:d3:4c:d0:26 on em0
Aug 2 16:00:43 	kernel: arp: 172.16.31.14 moved from 34:6b:d3:4c:d0:26 to 8c:a9:82:ac:fc:50 on em0
Aug 2 16:00:43 	kernel: arp: 172.16.31.14 moved from 8c:a9:82:ac:fc:50 to 34:6b:d3:4c:d0:26 on em0

Is someone mac spoofing the captive portal? Could this be the culprit of the duplicate errors? ???

kejianshi

If you are allowing access per MAC, then yes.  MACs can easily be spoofed or even duplicated an many sites to get onto your network.

Darkanyons

Agree. I think the captive portal associates the voucher codes with the clients mac address. Once they're paired after authentication that MAC address is granted a pass thru to access the internet. If someone knows a mac that is already authenticated and clone that to his device, he may be able to have a free connection.

Is this what it looks like in the logs? is my speculation not far fetch? are there any scenarios less suspicious?

kejianshi

Or the IPs are being handed out VIA DHCP so each time a previously known MACs IP is changed for some reason, you will see that also.
If you see the same MAC used simultaneously and switching back and forth alot its probably been spoofed.  This is an unsercure, unencryped wifi?

Darkanyons

@kejianshi:

Or the IPs are being handed out VIA DHCP so each time a previously known MACs IP is changed for some reason, you will see that also.

Thank you.
Can this scenario result in duplicate lease errors?

@kejianshi:

If you see the same MAC used simultaneously and switching back and forth alot its probably been spoofed.  This is an unsercure, unencryped wifi?

On the logs the mac-changing-errors occurred on the same time. Yes this is unsecured and unencrypted wifi.

kejianshi

If its unsecure, there, yes.  More than likely someone is using a simple packet sniffer and has a record of all the MACs in use on your system.  This would be very easy for them to get on an unsecure wifi.  Hacking wifi is like a national sport there.

Darkanyons

waaaaaa…........................ I'll be damned if this is happening here too.

The log above just shows that the macs have been cycling on just three addresses:
34:6b:d3:4c:d0:26 = MAC address 346BD3 Company Huawei
94:db:c9:0e:23:82 = MAC address 94DBC9 Company Azurewave
8c:a9:82:ac:fc:50  = MAC address 8CA982 Company Intel Corporate

I'm wondering how to make this public hotspot more secure. should i migrate away from PFs' Captive portal?

kejianshi

Use captive portal with WAP2.

This way, in the future, a person standing to the side can't sniff the unencrypted packets, get your MACs then use the MACs to get a free ride on your wifi.
It won't prevent one of your customers from sharing the WPA2 key though if they purposely want to do that.