Bug #6720
closedDHCPD Options in "Sub-"Pools ignored, dhcpd.conf does not contain informations, dhcpd therefore not serving
100%
Description
Dear Maintainers,
we have recently discovered that pfsense 2.3.2-RELEASE does not treat Options in DHCP "Sub-"Pools properly.
Please find below an example of what we want to achieve in the dhcpd.conf, critical points highlighted bold:
option custom-opt8-0 code 66 = string;
option custom-opt8-1 code 66 = string;
option custom-opt8-2 code 66 = string;
<------------------------cut------------------------<
class "001565" {
match if substring (hardware, 1, 3) = 00:15:65;
}
class "00A0BA" {
match if substring (hardware, 1, 3) = 00:A0:BA;
}
class "000DB9" {
match if substring (hardware, 1, 3) = 00:0D:B9;
}
subnet 10.10.100.0 netmask 255.255.255.0 {
pool {
deny members of "001565";
deny members of "00A0BA";
deny members of "000DB9";
range 10.10.100.110 10.10.100.150;
}pool {
allow members of "00A0BA";
range 10.10.100.102 10.10.100.103;
option custom-opt8-1 "http://10.10.100.100/provision-path-specific/to-102-103/
}pool {
allow members of "000DB9";
range 10.10.100.100 10.10.100.101;
}pool {
allow members of "001565";
range 10.10.100.1 10.10.100.99;
option custom-opt8-2 "http://10.10.100.100/provision-path-specific/to-001565/
}option routers 10.10.100.254;
option domain-name-servers 10.10.100.254;
option ntp-servers 10.10.100.254;option custom-opt8-0 "http://10.10.100.100/general-provision-path/";
}
The values we want to set and serve through dhcpd can be configured in the webinterface & are exported properly with "Backup & Restore". XML files look like this:
<opt8>
<range>
<from>10.10.100.110</from>
<to>10.10.100.150</to>
</range>
<enable/>
<failover_peerip/>
<dhcpleaseinlocaltime/>
<defaultleasetime/>
<maxleasetime/>
<netmask/>
<gateway/>
<domain/>
<domainsearchlist/>
<ddnsdomain/>
<mac_allow/>
<mac_deny>00:15:65,00:A0:BA,00:0D:B9</mac_deny>
<tftp/>
<ldap/>
<nextserver/>
<filename/>
<rootpath/>
<numberoptions>
<item>
<number>66</number>
<type>string</type>
<value>Imh0dHA6Ly8xMC4xMC4xMDAuMTAwL2FwcC9wcm92aXNpb24vIg==</value>
</item>
</numberoptions>
<ddnsdomainprimary/>
<ddnsdomainkeyname/>
<ddnsdomainkey/>
<filename32/>
<filename64/>
<pool>
<range>
<from>10.10.100.1</from>
<to>10.10.100.99</to>
</range>
<descr><![CDATA[Yealink Phones]]></descr>
<defaultleasetime/>
<maxleasetime/>
<netmask></netmask>
<gateway/>
<domain/>
<domainsearchlist/>
<ddnsdomain/>
<ddnsdomainprimary/>
<ddnsdomainkeyname/>
<ddnsdomainkey/>
<mac_allow>00:15:65</mac_allow>
<mac_deny/>
<tftp/>
<ldap/>
<nextserver/>
<filename/>
<filename32/>
<filename64/>
<rootpath/>
<numberoptions>
<item>
<number>66</number>
<type>string</type>
<value>Imh0dHA6Ly8xMC4xMC4xMDAuMTAwL2luc2lkZS1zdWItcG9vbC9vcHRpb242NiI=</value>
</item>
</numberoptions>
<ntpserver>10.10.100.254</ntpserver>
</pool>
<staticmap/>
<ntpserver>10.10.100.254</ntpserver>
</opt8>
The critical point is that this settings are not reflected in the dhcpd.conf, which still looks like this:
option custom-opt8-2 code 66 = string;
<------------------------cut------------------------<
subnet 10.10.100.0 netmask 255.255.255.0 {
pool {
deny members of "001565";
deny members of "00A0BA";
deny members of "000DB9";
range 10.10.100.110 10.10.100.150;
}pool {
allow members of "00A0BA";
range 10.10.100.102 10.10.100.103;
}pool {
allow members of "000DB9";
range 10.10.100.100 10.10.100.101;
}pool {
allow members of "001565";
range 10.10.100.1 10.10.100.99;
*}*option routers 10.10.100.254;
option domain-name-servers 10.10.100.254;
option ntp-servers 10.10.100.254;option custom-opt8-0 "http://10.10.100.100/general-provision-path/";
}
It seems that all other options are ignored as well. Setting ntp-server, dns-server and so forth is not working inside "Sub-"Pools. The values can be set, but dhcpd.conf is not updated accordingly.
Wit the above mentioned settings the hardware does get the proper IP-Address, dependant on the MAC, but all other DHCP options cannot be found in dhcpd.conf, and are as consequence not serverved during a dhcp request.
I've added a high priority to this issue, since the work & configuration flow of PFsense is in a way that the user will expect that the options are set correctly and served properly.
Many thanks in advance for your help!
Best regards,
Harald Gutmann
Updated by Phillip Davis over 8 years ago
Looking in the code I found a couple of other things when I did some first looking:
1) A problem when specifying DDNS Domain in a static map entry https://github.com/pfsense/pfsense/pull/3109
2) Duplication of the "option domain-name-servers" line when specified for a pool https://github.com/pfsense/pfsense/pull/3110
Stuff like ntp-server and dns-server is only put in the block for the pool if it is different to the overall ntp-server or dns-server for the interface as a whole. So, for example, in the OPs listing above the ntp-server for the pool is specified as 10.10.100.254, the same as for the overall interface, so it is not repeated in the pool. When I put a different value for vthe pool ntp-server then it appears in the config.
Updated by Phillip Davis over 8 years ago
Please try the code at pull request https://github.com/pfsense/pfsense/pull/3112 - /etc/inc/services.inc - and report back if it works for you.
Updated by Harald Gutmann over 8 years ago
Dear Phillip Davis,
many thanks for your fast reaction and fix!
I've tested several combinations and can so far confirm that the expected functionality is now there.
The output in the dhcpd.conf looks like this:
subnet 10.10.100.0 netmask 255.255.255.0 { pool { deny members of "001565"; deny members of "00A0BA"; deny members of "000DB9"; range 10.10.100.110 10.10.100.150; } pool { option domain-name-servers 8.8.8.8; allow members of "001565"; option domain-name-servers 8.8.8.8; option ntp-servers at.pool.ntp.org; option custom-opt8-0-0 "http://10.10.100.100/yealink/"; range 10.10.100.1 10.10.100.99; } pool { option domain-name-servers 8.8.8.8; allow members of "00A0BA"; option domain-name-servers 8.8.8.8; option custom-opt8-1-0 "http://10.10.100.100/patton_gw/"; range 10.10.100.102 10.10.100.103; } option routers 10.10.100.254; option domain-name-servers 10.10.100.254; option ntp-servers 10.10.100.254; option custom-opt8-0 "http://10.10.100.100/general/"; }I've noticed the following flaws:
- domain-name-servers are listed twice. All other options I tried are only listed once in the sub-pools.
- indentation of option custom-optX-Y-Z does not match the blocks.
Again, many thanks for your support!
Best regards,
Harald Gutmann
Updated by Phillip Davis over 8 years ago
1) "domain-name-servers are listed twice" - yeh, I noticed that also. Should be fixed by pull request https://github.com/pfsense/pfsense/pull/3110
2) I added an extra tab of indent to PR 3112
Updated by Harald Gutmann over 8 years ago
I've just tested PR3112 including the 2nd commit & PR3110.
The result is now perfect, functionallity is there & the config file looks clean.
I think we can consider this as done when the according pull request are merged.
Many many thanks for your efforts to fix this issue.
Best Regards,
Harald Gutmann
Updated by Renato Botelho over 8 years ago
- Status changed from New to Feedback
Pull request has been merged. Thanks!
Updated by Phillip Davis over 8 years ago
- % Done changed from 0 to 100
Applied in changeset 285987208f31f38abe35b984b08645d43c11b001.
Updated by Jim Pingle about 8 years ago
- Status changed from Feedback to Resolved
Fixed, per above feedback