pfSense

static ARP is enabled for me and still i left it for 24 hours and all the communicating hosts never show as online or lets says all dhcp lease entry and arp show all ip etc online, it doesnt refresh.

it could just be cosmetic but at least the dhcp lease and arp tables r supposed to function back to normal after dhcp settings r saved rather than rebooting it just to see proper functionality of those 2 tables.

im reporting using nanobsd on alix and having static arp enabled or disabled, it doesn't refresh both ways and has been happenning since 1.2.3

If static ARP is enabled, then only the hosts with static entries can talk to the router. Are you sure you need static ARP enabled?

It might be that static ARP isn't properly applied on reboot, and you aren't using it as intended.

yes i want only static entries to talk to the firewall although the clients still get a DHCP lease from the DHCP server, but they r not able to surf the internet etc.

regarding being applied or not no idea but one thing i know, the mac ids not listed, get a ip from dhcp but r never able to do anything else.

With static ARP enabled, if the MAC is not listed, they shouldn't be able to even get an IP from DHCP. And they will not be able to route out to the internet if they aren't listed either. To let people get an IP from DHCP, you can put in an entry with their MAC address and leave the IP field blank.

If a MAC that isn't listed can ever get out to the Internet with static ARP enabled, that is the real bug.

so the 2 i see in this is as follows:

- even with static arp enabled and client mac not listed, new clients with not listed mac also get a dhcp lease

- after applying any dhcps erver settings, dhcp lease page and arp entry page dont refresh at all.

i have all the client mac ids with ips listed under dhcp server so they get the same ip everytime and only those macs r allowed.

the reason y i see clients get ip lease is mayb because Deny unknown clients is unticked

So point 1 is the real bug, and point 2 is irrelevant, those won't update with static ARP enabled, since the ARP entries are always there, they will always show online.

As for Deny unknown clients, that really shouldn't matter if static ARP is on. I'll run some tests and see what I can reproduce.

the reason y im saying point 2 is also cosmetic bug or so is because static arp enabled or no, once rebooted, arp table and dhcp lease table show clients online and offline as they come and go so then y after a dhcp server change it stops updating the table as usual till a reboot?

With static arp they should always show online, never offline, because they will always be in the ARP table. So if the actual bug gets fixed, point 2 is moot.

after the patch, things have gone much worse, as soon as i go to dhcps erver and tick static arp and click save, every1 gets locked out, no1 can ping nor communicate witht he firewall inspite of all client mac and ip listed in static table and even on reboot every1 is still locked out till i boot into a odler snap and untick that setting and reboot to the snap with the applied patch.

what i wanted to know is that does the firewall ip and amc also needed to be in the static table?

There shouldn't be any difference when saving from the GUI, but I'll look into it.

The firewall's MAC doesn't need to be listed.

its not the gui but its the patch itself, if static arp is enabled,e very1 is locked out, no1 can communicate with the firewall

Yes, but it was always enabled in the GUI - only now it's enabled in the GUI and at boot time. Previously, it was only enabled when saved from the GUI.

What I was saying was that it shouldn't be any different in the GUI now than before, logically. I need to run some tests to find out what might have changed as a result of the difference in the code.

all my entries have been with ip and mac and for me if i then enable static arp, every1 is locked out so for me its become totally useless enabling it now or else no1 can communicate with the firewall, cant even laod the web gui not to mention firewall becomes unpingable even.

Then wait for the next update and try again to disable/enable the service. It works fine for me now in my VM setup. If I enable static ARP and the client doesn't have an entry, it gets nothing. If it has a static map entry with MAC and IP address, it works fine.

did u try rebooting with the static arp enabled and ur client machines ip and mac already in list and that too on the nanobsd?

Yes, it works on reboot, and even on NanoBSD.

What would help more is:

• The output of "arp -a" before you enable
• The output of "arp -a" after you enable
• The MAC address of the workstations you are testing with
• A copy of your config.xml

So for some reason your MAC/IP pairs are not being added to the ARP table when you enable static ARP.
Although you still have entries without hostnames in that config, and the current GUI will not let you enable static ARP in that case. (Or not, my brain didn't process that properly, it's IPs that you need -- ignore that)

i applied the patch and tried it and it works fine now but the core issue still remains, that is, client macs not listed in table still get a dhcp lease but r not able to communicate further with the firewall, like u said they r not supposed to even get a dhcp lease, but they do stil get it.

If you check "deny unknown clients" it would prevent that. It's likely a byproduct of DHCP being broadcast, and not directed at the router.

Hosts receiving DHCP leases are not added to the ARP table when making a DHCP request, so it's not really a bug in the sense of the settings not being applied properly any longer.

ok then the rest works fine except the pppoe after 30th august which is preventing me from upgrading to the latest.