Independent Interface DHCP Servers not working

almabes

Try using RFC 1918 address space…
https://www.arin.net/knowledge/address_filters.html

caryhorner

STEALING?! Maybe I'm overreacting, but I did clearly state that it was a completely random choice and I am a bit mad about this.

So… lemme get this straight:

a) Despite the fact that Network Address Translation strips the local IPs off the local LAN and attaches the WAN/ISP IP for traffic leaving the gateway to the outside world, it still matters what IP addresses your intranet/local LANs are set to? I seriously beg to differ, especially since this is my house, but I WANT to hear the public's response to this because I'm learning networking and clearly I've missed something.

And

b) My totally random IP address selection for my local, behind the NAT LAN actually turned out to be those in use by Verizon? Not deliberate on my part so I'm yeah, I am a bit incensed by the theft comment. It was a completely random, off the top of my head choice.

But still... If I'm behind NAT, I really don't care what my IP address are. Why should I? If we weren't allowed to set our LAN addressing to be whatever we wanted, then we'd have IP address restrictions not dissimilar to the very reason we have NAT in the first place. How many networks in the world sit behind NAT with thousands upon thousands of devices connected to them that are probably sharing the same network IP.

Am I committing a crime? Is there a licensing fee I'm missing somewhere? It's my private network. I really don't care what the addresses are as long as it works, but I'd like to understand my transgressions. Please respond because this makes no sense to me. If those IP addresses aren't directly facing the Internet on a private LAN, I just don't see why it would matter. I wasn't trying to steal anyone IPs, and if it actually makes PFSense work, I'll switch to another network class.

technical ownage

These guys know what they're doing and have been doing it a long time. In full honestly, you came on here for help, so why aren't you taking it? If the internal ip settings don't matter so much, then why not just use the ones that are RESERVED for internal use and get rid of a variable altogether? I'm relatively new to this forum and that comment even infuriated ME!

phil.davis

Yes, the public internet is protected against your use of address space officially allocated to someone else. Your NAT does that for a start, and even if there is a NAT configuration issue and some packets get out with those public IP addresses then your upstream ISP should throw them away (source IPs that should not originate in their network) and the internet backbone certainly will not route replies back to you.

But if you try to access a public web site/service that happens to be on one of the public IP addresses that you have re-used for your LAN, then your LAN client is going to think it is on your local LAN. The LAN client will not be able to access the site/service. You shoot yourself in the foot.

johnpoz

Its not that your stealing or law that says you can not use those on a private network..  It just not sane setup.. There is rfc1918 space specifically reserved for local private networks.

10.x.x.x, 192.168.x.x, 172.12-16.x.x which you can subnet down all you want, etc.  This gives you millions of IPs and networks to use – there is no reason to use space that is designed to be public facing and owned and used by someone else.

While yes your behind a nat and you could use it.. Your just going to cause yourself pain doing something like that.  If the network you just happen to random pick is something you want to actually get to on the internet - good luck.. Does your local dns have that as local in-addr.arpa zone if not you could be some odd PTR queries for the real IPs in use.

There is just not one valid reason to do such a thing.. I know if you use public IPv4 space out of the box 6to4 interface in windows will register its IPv6 address in your AD dns, etc.

There is just not 1 valid reason not to use the space assigned for private local networks..  https://tools.ietf.org/html/rfc1918  http://en.wikipedia.org/wiki/Private_network

Derelict

Regardless of your use of someone else's IP addresses internally (there is no reason to do so and plenty of reasons not to), are you just plugging both ports 2 & 3 into one unmanaged switch?

If you want to plug both into one switch you will need a managed switch and two VLANs.  Or a separate switch for each LAN.

johnpoz

^ yup good catch Derelict does sound like he is trying to run 2 segments over the same physical network.. But I am with Dok – fix that clearly insane setup of just grabbing random netblocks to use on your local network before working out the actual problem ;)

caryhorner

O.k. First of all, let me say… all of you guys are wonderful for the responses you gave. Thanks a million. The day I made my reply, I'd already had a really bad day, was in a horrible mood, and the whole stealing comment really set me off. I actually deleted lots of even more incensed comments before I posted.

But the truth is... I'm really just trying to understand why what I did was a bad thing to begin with, ultimately to understand networking better. That's why, Technical Ownage, I didn't just say "o.k, I'll change my IPs". I wanted to open a discussion on this to get more insight. I clearly don't know nearly enough about networking to understand all of this because I don't understand half of what johnpoz is talking about, specifically the "local in-addr.arpa zone" and "PTR" bits. That and I never thought that NAT wasn't perfect. I always assumed it did it's job perfectly, that whatever IP my LAN was set to NAT always did the job of never releasing that to the Internet. I think I'm starting to see the real issue though, and thanks guys for the RFC and other internet references. I shall be reading those and furthering my research.

No, I'm not running both ports into one unmanaged switch. But since you mentioned it... it sure does sound like I am doesn't it? I actually tried various scenarios across different ports. I have one old Linksys WAP/Switch/Router combo (DHCP disabled on the Linksys, connected to switch only, NOT WAN port) connected to port 2 and a laptop connected directly to port 3 and the devices connected wirelessly to the Linksys dropped the IP addressing from port 2 and picked up the addressing from port 3 on the card as soon as I enabled DHCP on port 3. If I reverse the port connections (Linksys in port 3, laptop in port 2), the laptop will switch to the IP addressing across port 3 when I enable DHCP on that interface. It really makes no sense but the switching seems to be consistent with the port, for what that's worth. I need to double check that though. That's from memory and it's been a week since I tested this.

I'm totally going to re-vamp my IP addressing as soon as I get a minute. After all the fuss, I have this strange feeling that correcting my IP mess is just going to fix everything.

I always manage to break the rules as soon as I get deep enough into something without knowing enough to know that I'm breaking them. I'll be doing serious reading up on public IP address space now. This is new to me. I thought any IP was anybody's IP as long as you were behind NAT and not facing the Internet. Fascinating.

Derelict

No reason to use someone else's routable IPs on your internal network.  Period.  It only set you up for fail later.  Get over it.  We are right.  You are wrong.  There is no reason to debate something that was settled 30 years ago.

Some random choices:

10.197.104.0
172.19.30.0
192.168.185.0

johnpoz

"But the truth is… I'm really just trying to understand why what I did was a bad thing to begin with"

I gave you clearly 2 reasons to not do what you were doing that has nothing to with rules or best practice.

If google.com is hosted on 1.2.3.4 address and you say 1.2.3.0/24 is local -- how do you think your ever going to get to google.com

When any or your applications try and do a PTR say a ssh server or email server, firewall for example - there are plenty of applications that will do a PTR (lookup the IP to map it to name.  Reverse lookup of you looking up mail.gmail.com to point to 1.2.3.4) on the IP that hits it..  So unless you have setup that in-addr.arpa zone that says you are the authoritative name server for that netblock, that query will go out to the internet.

Now when your workstation does something your firewall will say for example that mail.google.com did it..

example
;; QUESTION SECTION:
;mail.google.com.              IN      A

;; ANSWER SECTION:
mail.google.com.        604800  IN      CNAME  googlemail.l.google.com.
googlemail.l.google.com. 300    IN      A      173.194.46.117

;; QUESTION SECTION:
;117.46.194.173.in-addr.arpa.  IN      PTR
;; ANSWER SECTION:
117.46.194.173.in-addr.arpa. 86400 IN  PTR    ord08s13-in-f21.1e100.net.

So would you like your host say if you were using 173.194.46.117 locally, and you firewall tried to resolve that IP for you and came back as ord08s13-in-f21.1e100.net

"the laptop will switch to the IP addressing across port 3 when I enable DHCP on that interface."

Sorry that is just not possible.. Unless you have your interfaces bridged in pfsense?  Or you have a switching loop..

So you have this - see attached.  So unless you have dhcp enable on your wifi router or pfsense 1 and 2 interfaces bridged?  Or maybe if have set static IP in pfsense for these macs of these devices.  There was something odd a while back where if you had a static setup and then limit dhcp leases to known macs, etc.

But I find it unlikely your doing that.

Why don't you look at ipconfig /all of one of these devices, and then when switches IPs to this other lease and what is the IP address of the dhcp server?