Netgate SG-1000 microFirewall

Author Topic: force client get ip with /32 subnet in dhcp server  (Read 206 times)

0 Members and 1 Guest are viewing this topic.

Offline reza.mnp

  • Newbie
  • *
  • Posts: 20
  • Karma: +1/-0
    • View Profile
force client get ip with /32 subnet in dhcp server
« on: December 29, 2017, 01:14:39 pm »
How can DHCP Server Force an IP with /32 to client like Mikrotik DHCP Server?
its possible in PFsense or BSD?
client get IP with /32 (255.255.255.255) like PPOE (block broadcast).

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14750
  • Karma: +1370/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: force client get ip with /32 subnet in dhcp server
« Reply #1 on: December 29, 2017, 05:23:36 pm »
Why would you want/need to do this?  Been in networking for going on 30 years.. Why would you want this?  A /32 is good for firewall rules.. Seems utterly pointless on a host that would be on a network..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline reza.mnp

  • Newbie
  • *
  • Posts: 20
  • Karma: +1/-0
    • View Profile
Re: force client get ip with /32 subnet in dhcp server
« Reply #2 on: December 29, 2017, 10:32:47 pm »
like attachment.
i have a vlan with /20 client. i want block broadcast on the wireless access points that no option for client isolation.

Offline GruensFroeschli

  • Little Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5439
  • Karma: +86/-3
  • No i will not fix your computer!
    • View Profile
Re: force client get ip with /32 subnet in dhcp server
« Reply #3 on: December 30, 2017, 03:02:32 am »
If your usecase is an AP which doesn't have the option for client isolation, then this will not help you.
All the other clients will still be able to get the traffic you want to isolate.

You're trying to implement an L3 solution for an L2 problem.
The only solution is to get an AP which allows you to configure client isolation.
We do what we must, because we can.

Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14750
  • Karma: +1370/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: force client get ip with /32 subnet in dhcp server
« Reply #4 on: December 30, 2017, 03:42:42 am »
What AP does not support client isolation?  Shoot even the cheapest soho wifi routers support this..

So you have a wifi network with a /20 mask?  So you have like 4K clients on your wifi network and the AP your using do not support isolation?  What about your switching infrastructure?  With that many clients you must have many AP.. Put the switch ports that connect to the AP in protected or isolation mode so they don't see traffic from all the other AP, etc.

There is an article about controlling broadcast traffic on unifi which might be helpful
https://help.ubnt.com/hc/en-us/articles/115001529267-UniFi-Managing-Broadcast-Traffic
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline reza.mnp

  • Newbie
  • *
  • Posts: 20
  • Karma: +1/-0
    • View Profile
Re: force client get ip with /32 subnet in dhcp server
« Reply #5 on: December 30, 2017, 05:56:14 am »
Thanks a lot.
I have 100 AP (ubnt-unifi) that connected to ubnt us-24 switch and all us-24 connected to 2960x Cisco (via fiber).

------------------------------
PFsense hardware:

Intel(R) Xeon(R) CPU D-1587 @ 1.70GHz
Current: 1700 MHz, Max: 1701 MHz
32 CPUs: 1 package(s) x 16 core(s) x 2 hardware threads
427GiB - zfs - enterprise ssd
64G - DDR4 Memory
« Last Edit: December 30, 2017, 06:00:59 am by reza.mnp »

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1076
  • Karma: +43/-6
    • View Profile
Re: force client get ip with /32 subnet in dhcp server
« Reply #6 on: December 30, 2017, 06:03:13 am »
Quote
i want block broadcast on the wireless access points that no option for client isolation.

I hope you realize blocking broadcasts will break things like DHCP.

Offline reza.mnp

  • Newbie
  • *
  • Posts: 20
  • Karma: +1/-0
    • View Profile
Re: force client get ip with /32 subnet in dhcp server
« Reply #7 on: December 30, 2017, 06:32:13 am »
this configuration with ubnt switch  block broadcast AP client?

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 408
  • Karma: +34/-0
    • View Profile
Re: force client get ip with /32 subnet in dhcp server
« Reply #8 on: December 30, 2017, 06:55:12 am »
Youd be better off posting this question over in the Ubiquiti forum, Im sure you can do client isolation on the AP.

Not at home at the moment to check.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14750
  • Karma: +1370/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: force client get ip with /32 subnet in dhcp server
« Reply #9 on: December 30, 2017, 07:16:06 am »
The article I linked too is exactly in line with your question on controlling broadcast traffic..  And as mentioned such a question is way better suited for their forums since your using their hardware.

As to client isolation on unifi - you have to enable guest policy on the ssid you want to use it, and if you do not want the captive portal just do not enable that in the policy section... Again that is best suited for their forums and documentation... But yes they do support it they just call it a bit different then your typical soho AP that calls it client isolation or wifi isolation..

If you do not put networks or hosts in the access control portion of guest policy then no clients would not be able to talk to anything on these networks or other wireless clients, etc.

edit:  Here I found the doc for you
https://help.ubnt.com/hc/en-us/articles/115000166827-UniFi-Wireless-Guest-Network-Setup#lan%20client%20isolation
« Last Edit: December 30, 2017, 07:21:09 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)