Unable to get multiple DHCP pools working

  • I am on the current stable release 2.1.3 of pfsense.
    I have 4 nics altogether but only use 2 currently (WAN + 4 VLANS on one nic).
    The main vlan is configured with a /24 that I have split into 2 smaller pools (see config below).  The problem I am having is that my client mac listed in the config below is not getting any IP at all.  When I check the log I am seeing:
    "dhcpd: DHCPDISCOVER from dc:2b:61:80:ad:82 via em1_vlan100: network no free leases"

    Based on everything I have read this is setup correctly with a deny on the one pool and an allow on the other.  I have also rebooted both the client and the pfsense serve.  It seems as if this may be a bug as the second pool is completely open allowing that mac but the dhcp server thinks there are no addresses available based on the log entry I am seeing or did I miss something in the configuration?

    option domain-name "home";
    option ldap-server code 95 = text;
    option domain-search-list code 119 = text;
    default-lease-time 7200;
    max-lease-time 86400;
    log-facility local7;
    one-lease-per-client true;
    deny duplicates;
    ping-check true;
    class "dc2b6180ad82" {
            match if substring (hardware, 1, 6) = dc:2b:61:80:ad:82;
    subnet netmask {
            pool {
                    option domain-name-servers,;
                    deny members of "dc2b6180ad82";
            pool {
                    option domain-name-servers,;
                    allow members of "dc2b6180ad82";
                    deny unknown-clients;
            option routers;
            option domain-name-servers,;

  • Rebel Alliance Developer Netgate

    You have "deny unknown clients" set on the second pool. For that to work you need to add a static mapping for the MAC you gave. The class does not make the client "known" in the way that option requires.

  • Jimp,

    I understand that I have deny unknown clients on the second pool.    If you see I have a mac address in deny members on the first pool but it is allowed member on the second pool.  From my understanding of how the secondary pools are suppose to work that device should have pulled an address from secondary pool but it didn't.  It actually wouldn't pull an address at all even though it was allowed on the secondary pool.

    Is my thinking a bit backwards on this one and putting a deny members on the primary will actually deny it access to both pools, same with checking the deny unknown clients box on the primary?

  • Rebel Alliance Developer Netgate

    Putting a MAC into the allow list does not make it a "known" client – static mapping entries do.

  • Thanks jimp!

    I stuck to just using the allow mac address control and it worked the way I was expecting.  For some reason I got it in my head that the deny unknown clients needed to be checked for mac address control to work.

Log in to reply