The pfSense Store

Author Topic: TESTING NEEDED: Multiple DHCP pools within a subnet  (Read 19671 times)

0 Members and 1 Guest are viewing this topic.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
TESTING NEEDED: Multiple DHCP pools within a subnet
« on: September 16, 2012, 06:42:41 pm »
I just committed initial support for multiple DHCP pools inside of a subnet, and you can set options specific to that pool to have the pools act differently.

https://github.com/bsdperimeter/pfsense/commit/cba980f6a4fafa55b1eb11621e33942f149061ff

For example, you can have:

Pool A deny MAC prefix of AA:BB, using one set of addresses with one gateway
Pool B allow MAC prefix of AA:BB, using a different set of addresses and a different gateway, and DNS, etc.

It would also allow you to have servers/static maps in the middle of a subnet by making the main range at the start of the subnet and a pool after the static addresses.

One thing it lacks yet is input validation to make sure that you are not entering overlapping subnets.

If you are already on the latest snapshot, apply the commit above using the system patches package, gitsync, or wait for the next new snapshot and give it a try.

It worked for me in a VM environment using the above scenario. I made two pools, watched the VM client pick up an IP from the first pool. Then I denied the VM's MAC access to the first pool, reconnected it, and it pulled an IP from the second pool, and so on. But of course people out in the real world can usually dream up more scenarios than I can possibly test myself. So have at it and reply here with what does or doesn't work.

There should effectively be no change for people running without pools. They're completely optional.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline xbipin

  • Hero Member
  • *****
  • Posts: 1631
  • Karma: +6/-0
    • View Profile
Re: TESTING NEEDED: Multiple DHCP pools within a subnet
« Reply #1 on: September 17, 2012, 01:30:44 am »
great, trying it out right now

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: TESTING NEEDED: Multiple DHCP pools within a subnet
« Reply #2 on: September 17, 2012, 05:15:12 pm »
If someone is crazy enough to want to try this on 2.0.1/2.0.2, here is a patch that can be applied using the system patches package:

http://files.chi.pfsense.org/jimp/patches/pools-202.patch
(Path strip = 0, base = /)
« Last Edit: September 18, 2012, 09:11:00 am by jimp »
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline GruensFroeschli

  • Little Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5423
  • Karma: +86/-3
  • No i will not fix your computer!
    • View Profile
Re: TESTING NEEDED: Multiple DHCP pools within a subnet
« Reply #3 on: September 24, 2012, 02:38:18 am »
Did some short tests.
I didn't see anything not working.

A suggestion: Could you allow subnets availlable with a VIP as well?
(usage scenario: provide a seperate DHCP-range/subnet for all "unknown" clients)
We do what we must, because we can.

Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: TESTING NEEDED: Multiple DHCP pools within a subnet
« Reply #4 on: September 24, 2012, 06:03:26 am »
OK.

Those subnets can't be done the same way they require special coding and syntax for "shared network" in the DHCP config. The pools I did this way are much easier and more often requested.

We do have code for the shared network way but it hasn't found its way into the open source repo yet, not sure what the ETA on that might be.

I do still need to code up the input validation for this though.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline GruensFroeschli

  • Little Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5423
  • Karma: +86/-3
  • No i will not fix your computer!
    • View Profile
Re: TESTING NEEDED: Multiple DHCP pools within a subnet
« Reply #5 on: September 24, 2012, 07:07:30 am »
Yeah i figured it might be not as easy as just allowing a different IP range ^^"

After playing a bit more.
Would it take much to create MAC-aliases?
In the field where you can define MAC's which are allowed within a range, such an alias would be perfect.
We do what we must, because we can.

Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: TESTING NEEDED: Multiple DHCP pools within a subnet
« Reply #6 on: September 24, 2012, 07:15:09 am »
No, there isn't a way to do that yet and it wouldn't make sense to do that until such time as pf can actually support filtering by MAC. It would require hacking it into the alias system in quite an ugly way since they couldn't be used by pf, and all the current aliases can.

The intent of the mac filtering option wasn't for lists of full MAC addresses anyhow, but primarily targeted at MAC prefixes, to give different brands/types of devices a different pool, such as a dedicated pool for phones, or similar.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1000
  • Karma: +5/-0
    • View Profile
Re: TESTING NEEDED: Multiple DHCP pools within a subnet
« Reply #7 on: September 24, 2012, 07:27:52 am »
pf can't filter by MAC, but ipfw can (incl. partial match).

Motivated by this thread http://forum.pfsense.org/index.php?topic=45596.0 several months ago I did some testing with filtering DHCP traffic by MAC using ipfw, however the dhcpd method is cleaner imho.

Offline jiguana

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: TESTING NEEDED: Multiple DHCP pools within a subnet
« Reply #8 on: October 24, 2012, 03:46:09 pm »
I can't get this patch to install. i enter the cba980f into the commit ID space, download the pacth, but when testing i receive

Patch can NOT be applied cleanly (detail)
Patch can NOT be reverted cleanly (detail)

What am I doing wrong?

From the cleanly link

Output of full patch apply test: /usr/bin/patch --directory=/ -t -p1 -i /var/patches/5088502b24be6.patch --check --forward

Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From cba980f6a4fafa55b1eb11621e33942f149061ff Mon Sep 17 00:00:00 2001
|From: jim-p
|Date: Sun, 16 Sep 2012 19:30:27 -0400
|Subject: [PATCH] Add support for multiple DHCP pools within the interface's
| subnet, and allow most of the settings for the main range
| to be set specific inside the pool. (e.g. it allows setting
| different gateways and DNS for different pools). Still
| needs improved input validation to prevent overlapping
| ranges/pools.
|
|---
| etc/inc/services.inc            |  160 ++++++++++++++-----
| etc/inc/xmlparse.inc            |    2 +-
| etc/inc/xmlreader.inc           |    2 +-
| usr/local/www/services_dhcp.php |  323 +++++++++++++++++++++++++++++----------
| 4 files changed, 364 insertions(+), 123 deletions(-)
|
|diff --git a/etc/inc/services.inc b/etc/inc/services.inc
|index 1834e37..e713ebf 100644
|--- a/etc/inc/services.inc
|+++ b/etc/inc/services.inc
--------------------------
Patching file etc/inc/services.inc using Plan A...
Ignoring previously applied (or reversed) patch.
Hunk #1 ignored at 510.
Hunk #2 ignored at 541.
Hunk #3 ignored at 563.
Hunk #4 ignored at 674.
Hunk #5 ignored at 728.
5 out of 5 hunks ignored--saving rejects to etc/inc/services.inc.rej
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/etc/inc/xmlparse.inc b/etc/inc/xmlparse.inc
|index ce7f4cd..d7ccc29 100644
|--- a/etc/inc/xmlparse.inc
|+++ b/etc/inc/xmlparse.inc
--------------------------
Patching file etc/inc/xmlparse.inc using Plan A...
Ignoring previously applied (or reversed) patch.
Hunk #1 ignored at 47.
1 out of 1 hunks ignored--saving rejects to etc/inc/xmlparse.inc.rej
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/etc/inc/xmlreader.inc b/etc/inc/xmlreader.inc
|index 96353d2..1678843 100644
|--- a/etc/inc/xmlreader.inc
|+++ b/etc/inc/xmlreader.inc
--------------------------
Patching file etc/inc/xmlreader.inc using Plan A...
Ignoring previously applied (or reversed) patch.
Hunk #1 ignored at 51.
1 out of 1 hunks ignored--saving rejects to etc/inc/xmlreader.inc.rej
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/usr/local/www/services_dhcp.php b/usr/local/www/services_dhcp.php
|index 078d099..47e8b49 100755
|--- a/usr/local/www/services_dhcp.php
|+++ b/usr/local/www/services_dhcp.php
--------------------------
Patching file usr/local/www/services_dhcp.php using Plan A...
Ignoring previously applied (or reversed) patch.
Hunk #1 ignored at 94.
Hunk #2 ignored at 124.
Hunk #3 ignored at 249.
Hunk #4 ignored at 363.
Hunk #5 ignored at 388.
Hunk #6 ignored at 501.
Hunk #7 ignored at 559.
Hunk #8 ignored at 685.
Hunk #9 ignored at 694.
Hunk #10 ignored at 732.
Hunk #11 ignored at 768.
Hunk #12 ignored at 879.
Hunk #13 ignored at 887.
Hunk #14 ignored at 908.
Hunk #15 ignored at 935.
Hunk #16 ignored at 1024.
Hunk #17 ignored at 1097.
17 out of 17 hunks ignored--saving rejects to usr/local/www/services_dhcp.php.rej
Hmm...  Ignoring the trailing garbage.
done
 Close

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: TESTING NEEDED: Multiple DHCP pools within a subnet
« Reply #9 on: October 24, 2012, 03:51:54 pm »
What are you trying to apply it to? 2.0.1? 2.0.2? 2.1?

It's not needed on 2.1, the functionality is already there.

Given that it's ignoring everything that seems to be the case.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline yon

  • Sr. Member
  • ****
  • Posts: 397
  • Karma: +4/-1
    • View Profile
Re: TESTING NEEDED: Multiple DHCP pools within a subnet
« Reply #10 on: October 28, 2012, 03:07:15 pm »
ipv6 not normal work in Multiple DHCP pools with V2.1
If you are interested in free peering for clearnet and dn42,contact me !

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: TESTING NEEDED: Multiple DHCP pools within a subnet
« Reply #11 on: October 28, 2012, 03:07:47 pm »
The feature was not added to the IPv6 DHCP settings. Only IPv4.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline robfantini

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: TESTING NEEDED: Multiple DHCP pools within a subnet
« Reply #12 on: December 26, 2012, 09:20:08 am »
I set a different DNS server  ( 208.67.222.222  ) on  Pool-Specific Options.  but that did not get to resolv.conf  on the linux client.  The client was even rebooted to test.  resolv.conf  instead gets the dns servers defined in main pool.

Also tried to set NTP time server  to  0.debian.pool.ntp.org . the result was this message at top of the screen: "A valid IP address must be specified for the primary/secondary NTP servers."




Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: TESTING NEEDED: Multiple DHCP pools within a subnet
« Reply #13 on: December 26, 2012, 09:26:04 am »
Does using a hostname in the NTP server field work on the main tab? I thought we required an IP there.

DNS should work, it did last I knew. You can check /var/dhcpd/etc/dhcpd.conf that it's getting into the pool config. It is when I look on mine, though I don't have a client hooked up behind that test VM to do a proper check at the moment.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline robfantini

  • Jr. Member
  • **
  • Posts: 60
  • Karma: +0/-0
    • View Profile
Re: TESTING NEEDED: Multiple DHCP pools within a subnet
« Reply #14 on: December 26, 2012, 11:46:18 am »
Does using a hostname in the NTP server field work on the main tab? I thought we required an IP there.
an IP is needed there.  however i assumed that since an IP is not needed at General Setup then an IP would not be needed in dhcp server.   

Just read isc-dhcp dhcp-options man page and now see that IP is needed.

Quote
DNS should work, it did last I knew. You can check /var/dhcpd/etc/dhcpd.conf that it's getting into the pool config. It is when I look on mine, though I don't have a client hooked up behind that test VM to do a proper check at the moment.

the pool config is OK at /var/dhcpd/etc/dhcpd.conf
Code: [Select]
        pool {
                option domain-name-servers 127.0.0.1,172.50.24.2;
                range 172.50.24.100 172.50.24.200;
        }

        pool {
                option domain-name-servers 127.0.0.1,208.67.222.222;
                deny unknown-clients;
                default-lease-time 600;
                range 172.50.24.11 172.50.24.20;
        }

here is more client info:
Code: [Select]
t520  /etc # cat resolv.conf
# Generated by NetworkManager
domain fantinibakery.com
search fantinibakery.com
nameserver 127.0.0.1
nameserver 172.50.24.2

t520  /etc # ip a
....

3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 10:0b:a9:69:21:70 brd ff:ff:ff:ff:ff:ff
    inet 172.50.24.11/24 brd 172.50.24.255 scope global wlan0
    inet6 fe80::120b:a9ff:fe69:2170/64 scope link
       valid_lft forever preferred_lft forever

Also I was not able to add the client fixed lease to the  'additional pool'.    tried a few things and it always ended up at bottom of the main pool page.