The pfSense Store

Author Topic: ignore DHCP for a group of MAC addresses?  (Read 9799 times)

0 Members and 1 Guest are viewing this topic.

Offline luckman212

  • Jr. Member
  • **
  • Posts: 90
    • View Profile
ignore DHCP for a group of MAC addresses?
« on: January 27, 2012, 11:08:06 am »
Is there any way in pfSense (either manually or via the GUI) to have the DHCP server IGNORE requests coming from AA:BB:CC:*  MAC addresses?  I am having a strange issue and need to do this for troubleshooting purposes...

thanks guys for any advice.

Offline wallabybob

  • Hero Member
  • *****
  • Posts: 5262
    • View Profile
Re: ignore DHCP for a group of MAC addresses?
« Reply #1 on: January 27, 2012, 07:05:18 pm »
The closest I can think of is to tick Deny unknown clients on the appropriate DHCP server tab and define static mappings for the other clients. (I haven't tried this.)

Offline luckman212

  • Jr. Member
  • **
  • Posts: 90
    • View Profile
Re: ignore DHCP for a group of MAC addresses?
« Reply #2 on: January 28, 2012, 09:53:23 am »
I thought about that but the problem is, then any new devices (e.g. a guest device that wants to connect via wifi) will have to look up its MAC and then have someone log in and assign a static DHCP... not to mention this limits the toal # of devices that can ever connect to about 253.  That's a deal breaker.

Offline luckman212

  • Jr. Member
  • **
  • Posts: 90
    • View Profile
Re: ignore DHCP for a group of MAC addresses?
« Reply #3 on: February 25, 2012, 11:52:09 am »
Bump - there has to be a solution to this, as it stands every time someone plugs in a voip phone, they have to have someone go unplug the pfsense unit first so the DHCP server doesnt reply with the wrong info.  arggghh

Offline wallabybob

  • Hero Member
  • *****
  • Posts: 5262
    • View Profile
Re: ignore DHCP for a group of MAC addresses?
« Reply #4 on: February 25, 2012, 04:37:11 pm »
every time someone plugs in a voip phone, they have to have someone go unplug the pfsense unit first so the DHCP server doesnt reply with the wrong info.  arggghh

1. Put the VOIP phones on a separate network and configure DHCP server to supply the correct information.

2. Configure the DHCP server to provide the correct information.

3. Preconfigure the VOIP phones so they don't use DHCP.

Maybe there are some relevant factors about your network or your VOIP phones that you you haven't told us,


Offline luckman212

  • Jr. Member
  • **
  • Posts: 90
    • View Profile
Re: ignore DHCP for a group of MAC addresses?
« Reply #5 on: February 25, 2012, 05:58:11 pm »
Yes, some more information:

1) voip phones are from another (large and indifferent) vendor and I have no access to change or even inspect their settings.  They are in a 3yr contract with this vendor so I can't realistically suggest switching to another setup.

2) only single ethernet cable feeding the user so the PCs are "piggybacked" off the phones via ethernet passthru, so I can't separate them on a different switch.

I think this makes any of those proposed solutions impossible?
« Last Edit: February 25, 2012, 06:02:34 pm by luckman212 »

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6295
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: ignore DHCP for a group of MAC addresses?
« Reply #6 on: February 25, 2012, 07:23:25 pm »
The usual way to do that with PCs plugged in via the phones is to configure the phones to tag their traffic on a VLAN, and only have that one DHCP server on the VLAN for the phones.

There is no option to ignore a group of MAC addresses, closest is the deny unknown clients option mentioned. That's true of every DHCP server, it just isn't possible. The only other alternative is to configure whatever DHCP options the phones require so they don't have to hit their own DHCP server, which may or may not be a reasonable solution depending on specifics.

If you can't change the phones to tag their traffic, and can't plug the PCs in elsewhere, and can't consolidate to a single DHCP server, you have an unsolvable problem regardless of what software you use.

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1002
    • View Profile
Re: ignore DHCP for a group of MAC addresses?
« Reply #7 on: February 26, 2012, 02:48:50 am »
I can think of two ways, but I'm not sure if they're doable from pfsense's webGUI:

1) isc dhcpd:

class "phones" {
match if substring (hardware,1,8) = "00:11:22";
}

2) ipfw L2 filtering (enabled in pfsense)
do a man ipfw and read the MAC

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6295
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: ignore DHCP for a group of MAC addresses?
« Reply #8 on: February 26, 2012, 03:26:42 am »
I don't think you can disable handing out leases with classes though can you?

ipfw blocking only DHCP requests by MAC address match could work, but have to be hacked in manually. That doesn't address the fact that the PCs on occasion probably get a lease from the phones' DHCP server, which may be undesirable or problematic.

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1002
    • View Profile
Re: ignore DHCP for a group of MAC addresses?
« Reply #9 on: February 26, 2012, 04:55:47 am »
iirc isc dhcp can deny based on class e.g.:

   pool {
      range 192.168.2.50 192.168.2.75;
      allow members of "mypcs";
      deny members of "phones";
   }


wrt the ipfw L2 filtering, I suppose PCs could occasionally get a lease from the phones' DHCP server (assuming it isn't configured to only respond to certain clients), but ipfw L2 might again be configured to forward UDP 67/68 traffic to it from the phones' MAC-addresses only (ipfw allows wildcard MAC matching e.g. MAC any 00:11:22:33:00:00/32). However I should note that haven't tried this.

Offline luckman212

  • Jr. Member
  • **
  • Posts: 90
    • View Profile
Re: ignore DHCP for a group of MAC addresses?
« Reply #10 on: February 26, 2012, 04:56:15 pm »
Hmm interesting responses,  I appreciate the help!  After some more digging, it seems there *might* be a solution, something along the lines of adding the following clause to my dhcpd.conf

class "mitel" {
  match if substring(hardware,1,8) = 08:00:0f;
  ignore booting;
}

pool {
  range 192.168.2.10 192.168.2.99;
  deny members of "mitel";
}

I haven't tested this but I think that it might work.  But when I logged into the console and tried to vi /etc/inc/services.inc  when I went to write out the file I got:
Error: services.inc: Read-only file system.

Do I need to remount the filesystem as r/w?  Sort of scared to do this on an embedded system that I am not physically standing next to.
edit:  well I found out how to get the filesystem into rw mode.  The commands are
/etc/rc.conf_mount_rw
and then
/etc/rc.conf_mount_ro
when you're done

I've made my edits, rebooting the box now....stay tuned  :-\
« Last Edit: February 26, 2012, 08:16:01 pm by luckman212 »

Offline luckman212

  • Jr. Member
  • **
  • Posts: 90
    • View Profile
Re: ignore DHCP for a group of MAC addresses?
« Reply #11 on: February 26, 2012, 08:42:41 pm »
Hmm that hasn't gone well.  It seems that there's no /etc/dhcpd.conf or /var/dhcpd/etc/dhcpd.conf after rebooting the box.  I think maybe dhcpd.conf is generated from scratch during each reboot?  Not sure, I need to dig deeper... arggh.
 ???

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1002
    • View Profile
Re: ignore DHCP for a group of MAC addresses?
« Reply #12 on: February 26, 2012, 08:51:59 pm »
I've just tested it and it works.

In your case, use
class "mitel" {
  match if ( substring(hardware,0,4) = 01:08:00:0f );


For your tests, you'll need to manually edit /var/dhcpd/etc/dhcpd.conf on the pfsense box, kill dhcpd and restart it from command-line. Note that the /var/dhcpd/ files are regenerated and overwritten on each reboot.

Offline luckman212

  • Jr. Member
  • **
  • Posts: 90
    • View Profile
Re: ignore DHCP for a group of MAC addresses?
« Reply #13 on: February 26, 2012, 09:44:58 pm »
I went about this a slightly different way, that doesn't require manual killing/restarting dhcpd.  I inserted the following clause right before the "{$custoptions}" line (~line 136) in /etc/inc/services.inc  so this way it gets preserved even if I make changes via the GUI.  Of course this won't survive an upgrade so I'll just have to remember to re-patch after any upgrades.  Hopefully one day the GUI will have a box for easier customizing of dhcpd.conf ...

class "mitel" {
  match if binary-to-ascii(16,8,":",substring(hardware,0,4)) = "1:8:0:f";
  ignore booting;
}

Is my match string correct?  I have seen some examples omit the whole binary-to-ascii conversion step but I was following the notes of Michael Lucas (who wrote a BSD book) at http://blather.michaelwlucas.com/archives/962
« Last Edit: February 26, 2012, 10:23:13 pm by luckman212 »

Offline luckman212

  • Jr. Member
  • **
  • Posts: 90
    • View Profile
Re: ignore DHCP for a group of MAC addresses?
« Reply #14 on: February 27, 2012, 01:21:13 pm »
Okay, the above isn't working for me.  I am not at the site to test hands on but my contact there said he rebooted a phone and it failed to boot.  I checked the DHCP leases and I actually don't see any entries for the phone's MAC address (that's a good thing I suppose) so DHCPd isn't handing out an IP.  But when I go to System Log it is overflowing (pages and pages) of

dhcpd: parse_option_buffer: malformed option vendor-class.<unknown> (code 1027): code tag at end of buffer - missing length field.

Any more ideas?   Should I try to packet filter / firewall this so no traffic whatsoever from the phones ever reaches the pfSense box? (not sure how to even go about that)

EDIT:  sorry, actually upon further inspection, I looked at the DHCP tab of Logs and I see that the daemon is actually handing out an IP -- so my "ignore booting" is apparently not having the desired effect.  See below:

dhcpd: DHCPNAK on 10.161.157.158 to 08:00:0f:53:b8:70 via em0
Feb 27 14:26:38   dhcpd: DHCPREQUEST for 10.161.157.158 (10.167.0.32) from 08:00:0f:53:b8:70 via em0: wrong network.
« Last Edit: February 27, 2012, 01:26:04 pm by luckman212 »