pfSense

DHCP static map assigns IP to client even if "Deny unknown clients" is set, when the client's mac address has been entered as static map in ANOTHER interface.
------------------
How to reproduce:
------------------
LAN1 interface DHCP settings:
Deny unknown clients [X] Only the clients defined below will get DHCP leases from this server.

Range  [192.168.1.100 ]   [192.168.1.100]
             From                To
               /\---this field is mandatory and must contain at least 1 address from the dhcp range

DHCP Static Mappings for this Interface
               aa:aa:aa:aa:aa:aa    192.168.31.5

and the second interface...

LAN2 interface DHCP settings:
     Deny unknown clients [X]   Only the clients defined below will get DHCP leases from this server.

Range  [172.17.17.100 ]   [172.17.17.100]
             From                To
               /\---this field is mandatory and must contain at least 1 address from the dhcp range

DHCP Static Mappings for this Interface
               bb:bb:bb:bb:bb:bb     172.17.17.13
               cc:cc:cc:cc:cc:cc     172.17.17.14

WHAT HAPPENS:
If you "move" (let's suppose that each LAN is on it's own VLAN) the client with mac address bb:bb:bb:bb:bb:bb from LAN2 to LAN1, even thought it's mac address is NOT on the static map list of THAT interface, the client WILL get the ip 192.168.1.100 ! (the ip address that is specified in the range)
If you move the second client cc:cc:cc:cc:cc:cc from LAN2 it will not (correctly) get any ip address. (<-- probably because the "range" has only one ip address "free")
Of course the same applies to the client with the mac address aa:aa:aa:aa:aa:aa , if you move him from LAN1 to the LAN2 interface it WILL get the ip address 172.17.17.100

"Conclusion":
Probably what happens is that the "Deny unknown clients" option is checked against all(?) static map tables, and not against the corresponding interface as it should be.