Static ARP entries need reapplied after link loss
Enabling static ARP in DHCPD causes the ARP table to get cleared if a disconnect happens to switches/clients connected to it, "arp -an" shows nothing, requiring a reboot to get the ARP list back.
another issue is "Deny unknown hosts" doesn't deny users not in the list...
#1 Updated by Basel G. about 8 years ago
small clarification about "Deny unknown hosts", if users are using a static IP they can bypass this if they are not in the dhcpd list... also it requires lowering lease times as much as possible for it to take action...so its working if these conditions are met
#2 Updated by Jim Pingle about 8 years ago
- Category set to DHCP Server
- Priority changed from High to Normal
- Affected Version set to 2.0
- Affected Architecture set to All
Deny Unknown Clients only affects the DHCP server giving out IPs to clients that are not listed. A client can hardcode an IP - that has nothing to do with the option. Deny Unknown Clients is working as intended if, when enabled, a client not listed as static does not get an IP when set to DHCP.
Static ARP is meant to handle locking out people not in that list, and if that breaks when an interface goes down/up, that's the real problem.
#4 Updated by Basel G. about 8 years ago
My setup is like this: about 20 switches serving around 150 clients connected through LAN, when I do a power cycle on them with "Static ARP" enabled the whole LAN becomes unresponsive, even if you try to renew IP or hardcode it, the only way I found to solve this is to reboot pfsense itself.
when this happens the command "arp -an" shows WAN info only...
so its denying known hosts too, I couldn't replicate this issue on vmware for some reason
#5 Updated by Jim Pingle about 8 years ago
The problem is still with the ARP entries disappearing. That's the only issue here.
Are you power cycling the individual clients or the whole switch? If a link down/up on LAN causes the ARP entries to disappear that should be fairly easy to track down comparatively.