Static ARP is not applied at boot time
the problem is if u make changes under dhcp server and apply them then both the dhcp lease as well as arp table stop showing active IPs and dhcp lease, it starts showing all static ips as online and under arp table u can see all static ip in the table, this issue i have been seeing from 1.2.3 and to reproduce it do the following
- dhcp server needs to be configured to give out IP
- usually under arp table u only see computers that r online or connected and not all statically configured IP to MAC address and the status under dhcp lease u see only all statically configured ip to mac but only those hosts shows online which r actually online
- now go to dhcp server and make some minor changes or simply click save and apply them and then goto arp table and dhcp lease and ull see what i mean, those tables r not refreshed anymore to show active hosts etc untill a reboot
this is on 31st July nanobsd on alix
Ensure static ARP is configured each time the DHCP service is configured. Previously, it was not enabled after bootup, but was if saved from the GUI. Fixes #782
#1 Updated by Jim Pingle about 9 years ago
- Category set to DHCP Server
I see that if static ARP is disabled, every time DHCP settings are saved it clears out the ARP table, which may explain some of what you are seeing.
It does update though, once hosts start talking through the router again they show up in the ARP table, and thus show as online.
This isn't really a bug per-se; It's rather harmless and only cosmetic. But it might be possible to improve this so that the ARP table is only cleared when static ARP is being disabled, and not every time it is run. It might not be worth the effort though.
#2 Updated by Bipin Chandra about 9 years ago
static ARP is enabled for me and still i left it for 24 hours and all the communicating hosts never show as online or lets says all dhcp lease entry and arp show all ip etc online, it doesnt refresh.
it could just be cosmetic but at least the dhcp lease and arp tables r supposed to function back to normal after dhcp settings r saved rather than rebooting it just to see proper functionality of those 2 tables.
im reporting using nanobsd on alix and having static arp enabled or disabled, it doesn't refresh both ways and has been happenning since 1.2.3
#4 Updated by Bipin Chandra about 9 years ago
yes i want only static entries to talk to the firewall although the clients still get a DHCP lease from the DHCP server, but they r not able to surf the internet etc.
regarding being applied or not no idea but one thing i know, the mac ids not listed, get a ip from dhcp but r never able to do anything else.
#5 Updated by Jim Pingle about 9 years ago
With static ARP enabled, if the MAC is not listed, they shouldn't be able to even get an IP from DHCP. And they will not be able to route out to the internet if they aren't listed either. To let people get an IP from DHCP, you can put in an entry with their MAC address and leave the IP field blank.
If a MAC that isn't listed can ever get out to the Internet with static ARP enabled, that is the real bug.
#6 Updated by Bipin Chandra about 9 years ago
so the 2 i see in this is as follows:
- even with static arp enabled and client mac not listed, new clients with not listed mac also get a dhcp lease
- after applying any dhcps erver settings, dhcp lease page and arp entry page dont refresh at all.
i have all the client mac ids with ips listed under dhcp server so they get the same ip everytime and only those macs r allowed.
#8 Updated by Jim Pingle about 9 years ago
So point 1 is the real bug, and point 2 is irrelevant, those won't update with static ARP enabled, since the ARP entries are always there, they will always show online.
As for Deny unknown clients, that really shouldn't matter if static ARP is on. I'll run some tests and see what I can reproduce.
#9 Updated by Bipin Chandra about 9 years ago
the reason y im saying point 2 is also cosmetic bug or so is because static arp enabled or no, once rebooted, arp table and dhcp lease table show clients online and offline as they come and go so then y after a dhcp server change it stops updating the table as usual till a reboot?
#11 Updated by Jim Pingle about 9 years ago
- Subject changed from dhcp lease and arp table status bug to Static ARP is not applied at boot time
Confirmed that static arp is off at boot time. If you check static arp, then save, the interface shows static arp is applied. If you reboot, static arp is not configured on the interface.
#13 Updated by Bipin Chandra about 9 years ago
after the patch, things have gone much worse, as soon as i go to dhcps erver and tick static arp and click save, every1 gets locked out, no1 can ping nor communicate witht he firewall inspite of all client mac and ip listed in static table and even on reboot every1 is still locked out till i boot into a odler snap and untick that setting and reboot to the snap with the applied patch.
what i wanted to know is that does the firewall ip and amc also needed to be in the static table?
#16 Updated by Jim Pingle about 9 years ago
Yes, but it was always enabled in the GUI - only now it's enabled in the GUI and at boot time. Previously, it was only enabled when saved from the GUI.
What I was saying was that it shouldn't be any different in the GUI now than before, logically. I need to run some tests to find out what might have changed as a result of the difference in the code.
#17 Updated by Jim Pingle about 9 years ago
- Status changed from Feedback to Resolved
It works fine, as intended, though I was incorrect on one point: You must specify IP addresses for clients listed in the DHCP static maps when using static ARP. You can't have entries with only a MAC address listed, or they will not be able to communicate with the firewall.
The static ARP entries require both a MAC address and an IP address or they won't be added by the OS when configuring static ARP.
There is input validation when adding a DHCP static map while static ARP is active which enforces this, and I just added input validation that will prevent you from enabling static arp if you have map entries without IP addresses, since this is not a valid configuration.
This should all work properly now - it was broken before, just not in the way you thought. You either need to disable static ARP, or define IP addresses for all of your static map entries.
#18 Updated by Bipin Chandra about 9 years ago
all my entries have been with ip and mac and for me if i then enable static arp, every1 is locked out so for me its become totally useless enabling it now or else no1 can communicate with the firewall, cant even laod the web gui not to mention firewall becomes unpingable even.
#19 Updated by Jim Pingle about 9 years ago
Then wait for the next update and try again to disable/enable the service. It works fine for me now in my VM setup. If I enable static ARP and the client doesn't have an entry, it gets nothing. If it has a static map entry with MAC and IP address, it works fine.
#22 Updated by Bipin Chandra about 9 years ago
- File capture.pcap added
i tried the 5th august nanobsd and this doesnt work, as soon as i enable, every1 gets locked out but the lan clients get a dhcp lease and the lan client mac id and ip is listed in static arp entries but still they cant surf or even open the pfsense web gui, wireshark log attached.
#24 Updated by Bipin Chandra about 9 years ago
- File config-firewall.pfsense-20100805161735.xml added
arp -a before enabling static arp
? (192.168.0.11) at 00:1b:11:0b:ef:9b on vr0 expires in 1134 seconds [ethernet]
firewall.pfsense (192.168.0.1) at 00:0d:b9:13:47:84 on vr0 permanent [ethernet]
? (192.168.0.23) at 00:1b:77:8f:ae:e1 on vr0 expires in 1134 seconds [ethernet]
arp -a after enabling static arp
firewall.pfsense (192.168.0.1) at 00:0d:b9:13:47:84 on vr0 permanent [ethernet]
MAC id of my client machine
NOTE: KINDLY DELETE THE FILES ONCE U HAVE SEEN THEM INCLUDING THE CAPTURE IN THE EARLIER POST
#27 Updated by Jim Pingle about 9 years ago
So for some reason your MAC/IP pairs are not being added to the ARP table when you enable static ARP.
Although you still have entries without hostnames in that config, and the current GUI will not let you enable static ARP in that case. (Or not, my brain didn't process that properly, it's IPs that you need -- ignore that)
#29 Updated by Bipin Chandra about 9 years ago
i applied the patch and tried it and it works fine now but the core issue still remains, that is, client macs not listed in table still get a dhcp lease but r not able to communicate further with the firewall, like u said they r not supposed to even get a dhcp lease, but they do stil get it.
#30 Updated by Jim Pingle about 9 years ago
If you check "deny unknown clients" it would prevent that. It's likely a byproduct of DHCP being broadcast, and not directed at the router.
Hosts receiving DHCP leases are not added to the ARP table when making a DHCP request, so it's not really a bug in the sense of the settings not being applied properly any longer.