Project

General

Profile

Bug #6720

DHCPD Options in "Sub-"Pools ignored, dhcpd.conf does not contain informations, dhcpd therefore not serving

Added by Harald Gutmann almost 3 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
DHCP Server
Target version:
Start date:
08/16/2016
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.3.2
Affected Architecture:
All

Description

Dear Maintainers,

we have recently discovered that pfsense 2.3.2-RELEASE does not treat Options in DHCP "Sub-"Pools properly.
Please find below an example of what we want to achieve in the dhcpd.conf, critical points highlighted bold:

option custom-opt8-0 code 66 = string;
option custom-opt8-1 code 66 = string;
option custom-opt8-2 code 66 = string;
<------------------------cut------------------------<
class "001565" {
match if substring (hardware, 1, 3) = 00:15:65;
}
class "00A0BA" {
match if substring (hardware, 1, 3) = 00:A0:BA;
}
class "000DB9" {
match if substring (hardware, 1, 3) = 00:0D:B9;
}
subnet 10.10.100.0 netmask 255.255.255.0 {
pool {
deny members of "001565";
deny members of "00A0BA";
deny members of "000DB9";
range 10.10.100.110 10.10.100.150;
}

pool {
allow members of "00A0BA";
range 10.10.100.102 10.10.100.103;
option custom-opt8-1 "http://10.10.100.100/provision-path-specific/to-102-103/
}

pool {
allow members of "000DB9";
range 10.10.100.100 10.10.100.101;
}

pool {
allow members of "001565";
range 10.10.100.1 10.10.100.99;
option custom-opt8-2 "http://10.10.100.100/provision-path-specific/to-001565/
}

option routers 10.10.100.254;
option domain-name-servers 10.10.100.254;
option ntp-servers 10.10.100.254;

option custom-opt8-0 "http://10.10.100.100/general-provision-path/";
}

The values we want to set and serve through dhcpd can be configured in the webinterface & are exported properly with "Backup & Restore". XML files look like this:

<opt8>
<range>
<from>10.10.100.110</from>
<to>10.10.100.150</to>
</range>
<enable/>
<failover_peerip/>
<dhcpleaseinlocaltime/>
<defaultleasetime/>
<maxleasetime/>
<netmask/>
<gateway/>
<domain/>
<domainsearchlist/>
<ddnsdomain/>
<mac_allow/>
<mac_deny>00:15:65,00:A0:BA,00:0D:B9</mac_deny>
<tftp/>
<ldap/>
<nextserver/>
<filename/>
<rootpath/>
<numberoptions>
<item>
<number>66</number>
<type>string</type>
<value>Imh0dHA6Ly8xMC4xMC4xMDAuMTAwL2FwcC9wcm92aXNpb24vIg==</value>
</item>
</numberoptions>
<ddnsdomainprimary/>
<ddnsdomainkeyname/>
<ddnsdomainkey/>
<filename32/>
<filename64/>
<pool>
<range>
<from>10.10.100.1</from>
<to>10.10.100.99</to>
</range>
<descr><![CDATA[Yealink Phones]]></descr>
<defaultleasetime/>
<maxleasetime/>
<netmask></netmask>
<gateway/>
<domain/>
<domainsearchlist/>
<ddnsdomain/>
<ddnsdomainprimary/>
<ddnsdomainkeyname/>
<ddnsdomainkey/>
<mac_allow>00:15:65</mac_allow>
<mac_deny/>
<tftp/>
<ldap/>
<nextserver/>
<filename/>
<filename32/>
<filename64/>
<rootpath/>
<numberoptions>
<item>
<number>66</number>
<type>string</type>
<value>Imh0dHA6Ly8xMC4xMC4xMDAuMTAwL2luc2lkZS1zdWItcG9vbC9vcHRpb242NiI=</value>
</item>
</numberoptions>
<ntpserver>10.10.100.254</ntpserver>
</pool>
<staticmap/>
<ntpserver>10.10.100.254</ntpserver>
</opt8>

The critical point is that this settings are not reflected in the dhcpd.conf, which still looks like this:

option custom-opt8-2 code 66 = string;
<------------------------cut------------------------<
subnet 10.10.100.0 netmask 255.255.255.0 {
pool {
deny members of "001565";
deny members of "00A0BA";
deny members of "000DB9";
range 10.10.100.110 10.10.100.150;
}

pool {
allow members of "00A0BA";
range 10.10.100.102 10.10.100.103;
}

pool {
allow members of "000DB9";
range 10.10.100.100 10.10.100.101;
}

pool {
allow members of "001565";
range 10.10.100.1 10.10.100.99;
*}*

option routers 10.10.100.254;
option domain-name-servers 10.10.100.254;
option ntp-servers 10.10.100.254;

option custom-opt8-0 "http://10.10.100.100/general-provision-path/";
}

It seems that all other options are ignored as well. Setting ntp-server, dns-server and so forth is not working inside "Sub-"Pools. The values can be set, but dhcpd.conf is not updated accordingly.
Wit the above mentioned settings the hardware does get the proper IP-Address, dependant on the MAC, but all other DHCP options cannot be found in dhcpd.conf, and are as consequence not serverved during a dhcp request.

I've added a high priority to this issue, since the work & configuration flow of PFsense is in a way that the user will expect that the options are set correctly and served properly.

Many thanks in advance for your help!

Best regards,
Harald Gutmann

Associated revisions

Revision 28598720 (diff)
Added by Phillip Davis almost 3 years ago

Fix #6720 DHCP options by pool

It is a little bit tricky having to generate the unique "option custom-if-n-m code ..." lines at first where n = pool index and m = item index in the items of the pool. Then make sure to reference that later, getting the same pool index into the array of pools. The $all_pools array as the "overall" or "base" pool first (at index 0), followed by the user-specified pools at index 1, 2, 3,... - which are actually at indexes 0, 1, 2,... in the ordinary array of pools in the config. So the -1 at line 910 has to happen.
But it works for me.

Revision dc13f5e0 (diff)
Added by Phillip Davis almost 3 years ago

Fix #6720 DHCP options by pool

It is a little bit tricky having to generate the unique "option custom-if-n-m code ..." lines at first where n = pool index and m = item index in the items of the pool. Then make sure to reference that later, getting the same pool index into the array of pools. The $all_pools array as the "overall" or "base" pool first (at index 0), followed by the user-specified pools at index 1, 2, 3,... - which are actually at indexes 0, 1, 2,... in the ordinary array of pools in the config. So the -1 at line 910 has to happen.
But it works for me.
(cherry picked from commit 285987208f31f38abe35b984b08645d43c11b001)

Revision 9a1ae6e6 (diff)
Added by Phillip Davis almost 3 years ago

Fix #6720 DHCP options by pool

It is a little bit tricky having to generate the unique "option custom-if-n-m code ..." lines at first where n = pool index and m = item index in the items of the pool. Then make sure to reference that later, getting the same pool index into the array of pools. The $all_pools array as the "overall" or "base" pool first (at index 0), followed by the user-specified pools at index 1, 2, 3,... - which are actually at indexes 0, 1, 2,... in the ordinary array of pools in the config. So the -1 at line 910 has to happen.
But it works for me.
(cherry picked from commit 285987208f31f38abe35b984b08645d43c11b001)

History

#1 Updated by Phillip Davis almost 3 years ago

Looking in the code I found a couple of other things when I did some first looking:
1) A problem when specifying DDNS Domain in a static map entry https://github.com/pfsense/pfsense/pull/3109
2) Duplication of the "option domain-name-servers" line when specified for a pool https://github.com/pfsense/pfsense/pull/3110

Stuff like ntp-server and dns-server is only put in the block for the pool if it is different to the overall ntp-server or dns-server for the interface as a whole. So, for example, in the OPs listing above the ntp-server for the pool is specified as 10.10.100.254, the same as for the overall interface, so it is not repeated in the pool. When I put a different value for vthe pool ntp-server then it appears in the config.

#2 Updated by Phillip Davis almost 3 years ago

Please try the code at pull request https://github.com/pfsense/pfsense/pull/3112 - /etc/inc/services.inc - and report back if it works for you.

#3 Updated by Harald Gutmann almost 3 years ago

Dear Phillip Davis,

many thanks for your fast reaction and fix!
I've tested several combinations and can so far confirm that the expected functionality is now there.

The output in the dhcpd.conf looks like this:

subnet 10.10.100.0 netmask 255.255.255.0 {
        pool {
                deny members of "001565";
                deny members of "00A0BA";
                deny members of "000DB9";

                range 10.10.100.110 10.10.100.150;
        }

        pool {
                option domain-name-servers 8.8.8.8;
                allow members of "001565";
                option domain-name-servers 8.8.8.8;
                option ntp-servers at.pool.ntp.org;

        option custom-opt8-0-0 "http://10.10.100.100/yealink/";
                range 10.10.100.1 10.10.100.99;
        }

        pool {
                option domain-name-servers 8.8.8.8;
                allow members of "00A0BA";
                option domain-name-servers 8.8.8.8;

        option custom-opt8-1-0 "http://10.10.100.100/patton_gw/";
                range 10.10.100.102 10.10.100.103;
        }

        option routers 10.10.100.254;
        option domain-name-servers 10.10.100.254;
        option ntp-servers 10.10.100.254;

        option custom-opt8-0 "http://10.10.100.100/general/";
}

I've noticed the following flaws:
  • domain-name-servers are listed twice. All other options I tried are only listed once in the sub-pools.
  • indentation of option custom-optX-Y-Z does not match the blocks.

Again, many thanks for your support!

Best regards,
Harald Gutmann

#4 Updated by Phillip Davis almost 3 years ago

1) "domain-name-servers are listed twice" - yeh, I noticed that also. Should be fixed by pull request https://github.com/pfsense/pfsense/pull/3110

2) I added an extra tab of indent to PR 3112

#5 Updated by Harald Gutmann almost 3 years ago

I've just tested PR3112 including the 2nd commit & PR3110.
The result is now perfect, functionallity is there & the config file looks clean.

I think we can consider this as done when the according pull request are merged.

Many many thanks for your efforts to fix this issue.

Best Regards,
Harald Gutmann

#6 Updated by Renato Botelho almost 3 years ago

  • Status changed from New to Feedback

Pull request has been merged. Thanks!

#7 Updated by Phillip Davis almost 3 years ago

  • % Done changed from 0 to 100

#8 Updated by Jim Pingle almost 3 years ago

  • Status changed from Feedback to Resolved

Fixed, per above feedback

Also available in: Atom PDF