Static Mapped clients on one LAN get a DHCP IP from another LAN even when Deny unknown clients is checked on the other LAN
Setup with LAN1 and LAN2 - 2 interfaces with different subnets and a DHCP pool within each subnet.
Enable the DHCP server on each of LAN1 and LAN2 and check "Deny unknown clients".
Add a static-mapped client1 to DHCP server on LAN1, and a different client2 on LAN2 (with or without specifying a particular IP address for them)
Connect client1 to LAN1 - it gets an expected address in LAN1 - good.
Connect client2 to LAN2 - it gets an expected address in LAN2 - good.
Connect client1 to LAN2 - it gets an address in the pool for LAN2
Connect client2 to LAN1 - it gets an address in the pool for LAN1
As per references in the forum, this is expected behavior of ISC-DHCP the way dhcpd.conf is being written.
This could be fixed to be more specifically restrictive by using "class" and "subclass" statements and putting positive "allow member of" in the pool scopes, rather than just using deny unknown-clients.
The webGUI says: If this is checked, only the clients defined below will get DHCP leases from this server.
But actually, "deny unknown-clients" in ISC-DHCP only denies completely-unknown clients, which is different from want the pfSense webGUI is claiming.