ISC-DHCP server not matching partial of the MAC address



  • Hi all,

    Let me explain a bit off the situation I have at the moment. The idea witch was working properly under a CentOS environment. We have different  types of IP phones, YEALINK , AASTRA, SNOM and so on in ore company.

    To provision all these different phones we were using substring (hardware) match on the first 6 digits of the MAC address.

    Now days we are working with the PfSense and it is also or DHCP server. When I do a option 66 text http://xxx.xxx.xxx.xxx/ps/snom/cfg, I only will get the write provisioning for all or SNOM Phones. So no auto provisioning for the other types off IP PHONES.

    So there for I made Additional Pools in ore DHCP server.

    Pool Description YEALINK
    range: xxx.xxx.128.1 - xxx.xxx.128.10
    MAC Address Control: 00:15:65
    TFTP server: http://xxx.xxx.xxx.xxx./ps/yealink/cfg/

    Pool Description AASTRA
    range: xxx.xxx.128.11 - xxx.xxx.128.19
    MAC Address Control: 00:15:65
    TFTP server: http://xxx.xxx.xxx.xxx./ps/aastra/cfg/

    So did a factory reset on the YEALINK PHONE and this will not get a ip address for the pool that I created. It will get a ip address outside the pool. And this will go to option 66 and tring to get a snom firmware.

    Did read this articel but with no use. https://redmine.pfsense.org/issues/2241

    here is the out put off the dhcpd.conf

    class "001565" {
            match if substring (hardware, 1, 3) = 00:15:65;
    }
    class "00085D" {
            match if substring (hardware, 1, 3) = 00:08:5D;
    }
    subnet xxx.xxx.128.0 netmask 255.255.252.0 {
            pool {
                    option domain-name-servers xxx.xxxx.131.254;
                    ddns-update-style interim;
                    range xxx.xxxx.128.20 xxx.xxx.129.254;
            }

    pool {
                    option domain-name-servers xxx.xxx.131.254;
                    allow members of "001565";
                    option tftp-server-name "http://xxx.xxx.xxx.xxx/ps/yealink/cfg/";
                    range xxx.xxx.128.1 xxx.xxx.128.10;
            }

    pool {
                    option domain-name-servers xxx.xxx.131.254;
                    allow members of "00085D";
                    option tftp-server-name "http://xxx.xxx.xxx.xxx//ps/aastra/cfg";
                    range xxx.xxx.128.11 xxx.xxx.128.19;

    The manual says ass following http://linux.die.net/man/5/dhcpd.conf
    So tried with quotes, but no luck

    class "my-clients" {
              match if substring (hardware,1,8) = "00:1D:92" ;
    }
    pool {
              range 192.168.165.10 192.168.165.20;
              allow members of  "my-clients" ;
    }

    When I add the mac address to the "DHCP Static Mapping" The mac address will get the write provisioning.

    MAC ADDRESS: 00:15:65:2a:08:36
    CLIENT identifier: TEST
    TFTP Server: http://xxx.xxx.xxx.xxx/ps/yealink/cfg/

    Im reading in the Pfsense manual that maching partial of the MAC address is possible. So why is the pool not working for me?

    here the output off tcpdump -vvv -i em1 port bootpc

    15:10:53.867289 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
        0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:15:65:2a:08:36 (oui Unknown), length 548, xid 0xab36593e, secs 100, Flags [none] (0x0000)
      Client-Ethernet-Address 00:15:65:2a:08:36 (oui Unknown)
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: Discover
        Client-ID Option 61, length 7: ether 00:15:65:2a:08:36
        T125 Option 125, length 37: 0.0.13.233.32.1.6.48.48.49.53.54.53.2.12.48.48.49.53.54.53.50.97.48.56.51.54.3.8.83.73.80.45.84.50.50.80
        MSZ Option 57, length 2: 576
        Parameter-Request Option 55, length 17:
          Subnet-Mask, Time-Zone, Default-Gateway, Time-Server
          Domain-Name-Server, LOG, Hostname, Domain-Name
          BR, NTP, TFTP, BF
          Vendor-Option, Option 132, Option 133, Option 120
          Lease-Time
        Hostname Option 12, length 8: "SIP-T22P"
        Vendor-Class Option 60, length 7: "yealink"
        END Option 255, length 0
        PAD Option 0, length 0, occurs 214
    15:10:54.879881 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 333)
        pfSense.ipgroup.bootps > 10.254.129.106.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 305, xid 0xab36593e, secs 100, Flags [none] (0x0000)
      Your-IP xxx.xxx.129.106
      Server-IP bla.bla.local
      Client-Ethernet-Address 00:15:65:2a:08:36 (oui Unknown)
      file "/pxelinux.0"
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: Offer
        Server-ID Option 54, length 4: pfSense.test
        Lease-Time Option 51, length 4: 86400
        Subnet-Mask Option 1, length 4: 255.255.252.0
        Default-Gateway Option 3, length 4: pfSense.test
        Domain-Name-Server Option 6, length 4: pfSense.test
        Domain-Name Option 15, length 13: "ipgroup.test"
        Vendor-Option Option 43, length 14: 49.48.46.50.53.52.46.49.51.49.46.49.51.50
        END Option 255, length 0
    15:10:54.926611 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)

    15:10:54.926611 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
        0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:15:65:2a:08:36 (oui Unknown), length 548, xid 0xab36593e, secs 100, Flags [none] (0x0000)
      Client-Ethernet-Address 00:15:65:2a:08:36 (oui Unknown)
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: Request
        Client-ID Option 61, length 7: ether 00:15:65:2a:08:36
        Requested-IP Option 50, length 4: xxx.xxx.129.106
        Server-ID Option 54, length 4: pfSense.test
        T125 Option 125, length 37: 0.0.13.233.32.1.6.48.48.49.53.54.53.2.12.48.48.49.53.54.53.50.97.48.56.51.54.3.8.83.73.80.45.84.50.50.80
        Parameter-Request Option 55, length 17:
          Subnet-Mask, Time-Zone, Default-Gateway, Time-Server
          Domain-Name-Server, LOG, Hostname, Domain-Name
          BR, NTP, TFTP, BF
          Vendor-Option, Option 132, Option 133, Option 120
          Lease-Time
        Hostname Option 12, length 8: "SIP-T22P"
        Vendor-Class Option 60, length 7: "yealink"
        END Option 255, length 0
        PAD Option 0, length 0, occurs 206
    15:10:54.927888 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 333)

    15:10:54.927888 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 333)
        pfSense.test.bootps > xxx.xxx.129.106.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 305, xid 0xab36593e, secs 100, Flags [none] (0x0000)
      Your-IP 10.254.129.106
      Server-IP bla.bla.local
      Client-Ethernet-Address 00:15:65:2a:08:36 (oui Unknown)
      file "/pxelinux.0"
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: ACK
        Server-ID Option 54, length 4: pfSense.test
        Lease-Time Option 51, length 4: 86400
        Subnet-Mask Option 1, length 4: 255.255.252.0
        Default-Gateway Option 3, length 4: pfSense.test
        Domain-Name-Server Option 6, length 4: pfSense.test
        Domain-Name Option 15, length 13: "test.local"
        Vendor-Option Option 43, length 14: 49.48.46.50.53.52.46.49.51.49.46.49.51.50
        END Option 255, length 0

    15:11:00.716888 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
        xxx.xxx.129.106.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:15:65:2a:08:36 (oui Unknown), length 548, xid 0xab36593e, secs 100, Flags [none] (0x0000)
      Client-IP 10.254.129.106
      Client-Ethernet-Address 00:15:65:2a:08:36 (oui Unknown)
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: Inform
        Client-ID Option 61, length 7: ether 00:15:65:2a:08:36
        T125 Option 125, length 37: 0.0.13.233.32.1.6.48.48.49.53.54.53.2.12.48.48.49.53.54.53.50.97.48.56.51.54.3.8.83.73.80.45.84.50.50.80
        Requested-IP Option 50, length 4: 10.254.129.106
        Parameter-Request Option 55, length 17:
          Subnet-Mask, Time-Zone, Default-Gateway, Time-Server
          Domain-Name-Server, LOG, Hostname, Domain-Name
          BR, NTP, TFTP, BF
          Vendor-Option, Option 132, Option 133, Option 120
          Lease-Time
        Hostname Option 12, length 8: "SIP-T22P"
        Vendor-Class Option 60, length 7: "yealink"
        END Option 255, length 0
        PAD Option 0, length 0, occurs 212

    15:11:03.809395 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
        xxx.xxx.129.106.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:15:65:2a:08:36 (oui Unknown), length 548, xid 0xab36593e, secs 100, Flags [none] (0x0000)
      Client-IP xxx.xxx.129.106
      Client-Ethernet-Address 00:15:65:2a:08:36 (oui Unknown)
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: Inform
        Client-ID Option 61, length 7: ether 00:15:65:2a:08:36
        T125 Option 125, length 37: 0.0.13.233.32.1.6.48.48.49.53.54.53.2.12.48.48.49.53.54.53.50.97.48.56.51.54.3.8.83.73.80.45.84.50.50.80
        Requested-IP Option 50, length 4: 10.254.129.106
        Parameter-Request Option 55, length 17:
          Subnet-Mask, Time-Zone, Default-Gateway, Time-Server
          Domain-Name-Server, LOG, Hostname, Domain-Name
          BR, NTP, TFTP, BF
          Vendor-Option, Option 132, Option 133, Option 120
          Lease-Time
        Hostname Option 12, length 8: "SIP-T22P"
        Vendor-Class Option 60, length 7: "yealink"
        END Option 255, length 0
        PAD Option 0, length 0, occurs 212



  • The DHCP server web configuration GUI of pfSense is not designed for this type of application.
    You'd be better off leaving this DHCP configuration on the PBX.



  • Well this is a bit strage  because on centos we use the same isc dhcp server. Where i could pass dhcp options and this would match on mac digitis. So why is  it not posible with the pfsense dhcp server. The option are the same. Also edit the dhcpd.conf on the pfsense to test some options to test. Yes i know that a restart would set the dhcpd.conf to default

    Kill -HUP processid dhcp sould do the trick.

    The issue seems to be that it is not matching the mac address first 6 digits.


  • Banned

    Any changes you made outside of the GUI will be overwritten. This will NOT work.



  • @mkarci:

    Well this is a bit strage  because on centos we use the same isc dhcp server. Where i could pass dhcp options and this would match on mac digitis. So why is  it not posible with the pfsense dhcp server. The option are the same. Also edit the dhcpd.conf on the pfsense to test some options to test. Yes i know that a restart would set the dhcpd.conf to default

    Kill -HUP processid dhcp sould do the trick.

    The issue seems to be that it is not matching the mac address first 6 digits.

    You are trying to use pfSense for something that it wasn't intended for.

    Just because you could make hard boiled eggs in your microwave doesn't mean that you should, or that it is a good idea.



  • People come on. These are just standard options for a isc dhcp and pfsense is running isc dhcp server.  This is just a layar 2 match on mac. We do not doi g a cooking lesson here. We all are sysadmins and we wont to know the reason why this is  not working. Right now i do not care about the gui. That we could make changes i  the services.inc





  • Glad you found an answer.

    There are a couple of inconsistencies in the original question, and the isc-dhcp man page isn't any more helpful in clearing this up.
    You make reference to
    substring (hardware,1,8) = "00:1D:92" ;
    and
    substring (hardware, 1, 3) = 00:15:65;
    and
    substring (hardware, 1, 3) = 00:08:5D;

    I notice one is using a length of 8, which if looking strictly at ASCII characters matches 00:1D:92
    While the other two references are only using a length of 3, so it will match in both cases to 00:, assuming it is looking at ASCII characters, in which case it would only ever match the first case.

    Lastly, since vendors don't always occupy the same MAC address space; just look at how many prefixes Cisco/Linksys uses, I'd recommend using vendor classes instead, that way, irrespective of what MAC address is presented, it will match based on the vendor class (option 60) sent from the client to the DHCP server.
    Infact, you can even see that in the packet capture you took:
    Vendor-Class Option 60, length 7: "yealink"

    So it becomes substring (option vendor-class-identifier, 0, 7) = "yealink";

    Just my 2¢



  • Referance to the man page was because it uses quotes arroud mac addresses. Cisco we do not use, yealink,snom,aastra what we use.. So vendor-class-identifier is irralefent for us. And also with pfsense you can use dhcp option like 60 or 66 ones in the main pool. I  a sub pool only mac bases restrictions are posible.

    Well any way this works for us.


Log in to reply